When I am writing a web service that needs authentication, I usually have to choose between two options:
I can have a dedicated authentication call that creates a session. All subsequent calls are authenticated over a cookie. This is exactly how you would do authentication in a classic web site. This is not hard to write, but is not stateless.
I can send authentication information (such as credentials, a token, whatever) on each single request. This way it's stateless, but there is more overhead.
Are there suggested best practices which way you should go? Why?
