在每个请求发送用户名和密码不是很大。

Sending username and password in every request is not great.

您可以使用您要发送的cookie什么。它只是一个HTTP标头。但是，这引出了什么是cookie中的问题。这取决于你的客户机/服务器体系结构是什么。 Web应用程序使用会话密钥，因为传统的Web客户端都没有保留任何状态，因此该应用服务器必须这样做。本地客户端可以有各种状态，因此一般不需要服务器来提供。

You can use anything you want to send cookies. It's just another HTTP header. But that begs the question of what is in the cookie. It depends on what your client/server architecture is. Web apps use session keys because traditionally web clients haven't held any state so the app server had to. Native clients can have all sorts of state and so generally don't need the server to provide that.

但是，你需要验证。这就是事情如的OAuth 并的的OAuth 2 是。它们允许你进行一次身份验证，然后使用可被失效的服务器端的令牌。有点像没有数据很长住的会话。

But you need authentication. That's what things like OAuth and OAuth 2 are for. They allow you to authenticate once and then use tokens that can be invalidated server-side. Kind of like very long lived sessions without data.

他们是一个有点复杂，但有两个服务器和客户端部分开放源码库，或者你可以滚你自己。大多数并发症是让你可以短路如果您拥有客户端和服务器的原始凭证。 OAuth的可以得到pretty复杂的，因为所有的请求都用一个秘密令牌签名。的OAuth 2可以是作为共享秘密（因此需要SSL）在cookie一样简单。

They are a bit complicated but there are open source libraries for both the server and client pieces or you can roll your own. Most of the complication is on getting the original token which you can short-circuit if you own the client and server. OAuth can get pretty complicated because all requests are signed with a secret token. OAuth 2 can be as simple as a shared secret (thus requiring SSL) in a cookie.