Sending username and password in each request is small.
You can use everything you want to send cookies. This is just another HTTP header. But this raises the question of what is in the cookie. It depends on your client / server architecture. Web applications use session keys because traditionally web clients have no state, which is why the application server should have. Own clients can have all kinds of states and, as a rule, do not need a server to provide this.
But you need authentication. What are OAuth and OAuth 2 for ? They allow you to authenticate once, and then use tokens that may be invalid on the server side. Kind of like very long-lived sessions without data.
They are a little complicated, but there are open source libraries for both server parts and clients, or you can minimize your own. Most of the difficulty lies in obtaining the original token, which you can short-circuit if you have a client and server. OAuth can become quite complex because all requests are signed with a secret token. OAuth 2 can be as simple as a shared secret (requiring SSL) in a cookie.
smparkes
source share