There are two topics in this question. One is about security, and it seems to be about REST rules.
A secure authentication method is to pass this data over an SSL connection. This is the only way to transfer data securely by cable.
Regarding sending authentication using basic auth per request (REST), not many people I know do this in reality.
There is always a long discussion about how secure is provided, and it really depends on your application and what purpose. I know that this is not the final answer that you may be looking for, but I will just give you my opinion and how I am going to deal with the problems that you mentioned.
In RESTful applications, history should check every request, but in real practice, I think this is more of a βguideβ than a hard rule. A rare application that is completely RESTful, which follows all the rules. I use an encrypted cookie to store user session data with a standard authentication flow that occurs once and expires in a week. Data is transmitted via SSL to prevent MITM attacks, and the modified synchronous synchronization sends a CSRF token along with each POST, PUT, DELETE to prevent falsification of requests to the cross-site site. Perhaps "good enough" for the social app I'm working on. Maybe not if you do bank transfers and stuff. Hope this helps you determine what you want to do.
jmk2142
source share