advice on ruby rails authentication approach using web service for authentication and session management

Question

I am a beginner with ruby on rails and a little confused as to the best authentication approach to take for:

1) Securely pass login credentials user has entered in browser to the web service call (using http basic auth in the savon gem).

2) Use the session id provided by the initial web service http response to allow the user to have a persitant session with the rails app and web service.

3) Automatically use the login credentials entered in step 1 and the session ID from step 2 in every web service request made during the current user session (until user logs out or closes browser).

I have read a lot about cookies, sessions and the various gems such as devise and authlogic that manage authentication but its all fairly confusing and I can't see how they fit my particular scenario of all authentication and sessions being managed by the web services app and not the rails app. Can anyone provide any advice on how to achieve the above?

Thanks

P.S The rails app will only be accessed from mobile phone browsers.

Answer 1

I recommend reading Service Oriented Design with Ruby and Rails. It covers some auth service examples and the sample code can be found here. I'm not sure what your particular situation is, but I plan to handle authenticated requests with a signature similar to how Amazon S3 does it. I haven't implemented it yet but I'll write an article about it when I do.