HTTP is stateless, thus any use of a session goes against the design of HTTP (and most of the design and security problems on the web today stem from this).
To achieve true stateless authentication, use the WWW-Authenticate and Authorization headers with your API, or upgrade the API to be exposed over HTTP+TLS (https), issue each API user account with a X509 Certificate which identifies them, then request it is sent with each API call (you can then identify them by the public key which you save against the account as an API key).
ps: always worth reading in context, chapter 6 of Roy's dissertation is invaluable but often ignored for that single chapter 5 REST.
can expand the answer if you need it :) expanding..
The Authorization request header and WWW-Authenticate response header are standard HTTP Headers used for Challenge Response Authentication, the two common and standarized methods for use with these headers are Basic and Digest Authentication. If Authorization credentials are sent with a request you process to allow access else fail with the appropriate status code, or issue a challenge using the WWW-Authenticate response header, the flow is the same as form based authentication, but it works at a RESTful HTTP level instead, and should be used to verify each request rather than setting up a session (like most do with form based authentication).
The HTTP+TLS/x509 method to which I refer is commonly known as Public key authentication, again it works at a protocol level rather than application level and is natively supported. In short the client has an private key + certificate + public key on their side, when they connect to you the certificate (which includes the public key) is sent through to the server, you then read the details from the certificate (if you want) and use the public key to authorize them, if you recognise it you let them in. This is more secure because it uses the HTTP+TLS stack where everything is encrypted and the connection is between client and server with nothing in between, and primarily because effectively the 'password' is in two parts, a private key which never leaves their machine, and a public key which does, together they form a key pair.
The PHP manual has a nice section on HTTP Authentication with code (for the headers method) and all the functions needed for HTTP+TLS/x509 are also in the manual (with examples in the documentation, but split over the various functions).
Videos
HTTP is stateless, thus any use of a session goes against the design of HTTP (and most of the design and security problems on the web today stem from this).
To achieve true stateless authentication, use the WWW-Authenticate and Authorization headers with your API, or upgrade the API to be exposed over HTTP+TLS (https), issue each API user account with a X509 Certificate which identifies them, then request it is sent with each API call (you can then identify them by the public key which you save against the account as an API key).
ps: always worth reading in context, chapter 6 of Roy's dissertation is invaluable but often ignored for that single chapter 5 REST.
can expand the answer if you need it :) expanding..
The Authorization request header and WWW-Authenticate response header are standard HTTP Headers used for Challenge Response Authentication, the two common and standarized methods for use with these headers are Basic and Digest Authentication. If Authorization credentials are sent with a request you process to allow access else fail with the appropriate status code, or issue a challenge using the WWW-Authenticate response header, the flow is the same as form based authentication, but it works at a RESTful HTTP level instead, and should be used to verify each request rather than setting up a session (like most do with form based authentication).
The HTTP+TLS/x509 method to which I refer is commonly known as Public key authentication, again it works at a protocol level rather than application level and is natively supported. In short the client has an private key + certificate + public key on their side, when they connect to you the certificate (which includes the public key) is sent through to the server, you then read the details from the certificate (if you want) and use the public key to authorize them, if you recognise it you let them in. This is more secure because it uses the HTTP+TLS stack where everything is encrypted and the connection is between client and server with nothing in between, and primarily because effectively the 'password' is in two parts, a private key which never leaves their machine, and a public key which does, together they form a key pair.
The PHP manual has a nice section on HTTP Authentication with code (for the headers method) and all the functions needed for HTTP+TLS/x509 are also in the manual (with examples in the documentation, but split over the various functions).
If you want to be hard-core about the stateless aspect, which might be important in certain systems, you could send the user's credentials on each request. This lets you authorize access to certain resources and verbs without creating 'state'. See the documentation for Amazon's S3 service, for example.
I'm tempted to say that other uses for sessions, like a shopping-cart, for example, create a real emphasis on state that goes against REST.
If this is being called by a custom client program (i.e. you mobile phones), and not the browser, why "log them in" at all. Rather, simply use HTTP Authentication (either DIGEST or BASIC if you're going SSL, or your own scheme), and "log them in" every time.
Then you don't have to worry about sessions, about load balancing, and fail over, etc. Keep it stateless.
Addenda:
Certainly, fewer hits to the DB are better, that's just a general rule. But at the same time, many hits to the DB are handled by cached pages on the DB server, or possibly application caches so that they never hit the DB server. So, in some cases, particularly single row queries against an indexed column, DB hits can be very cheap.
Now, one might consider if they're both stored and readily accessed, what's really the difference between a cache bit of the database, and a unique user session.
Well, primarily, the difference is in the contract with the data. A cached item has lifespan directly proportional to the amount of memory you have and the amount of uncached activity happening. Give it a small amount of memory, and the cached item likely has a very short lifespan. Give it a lot of memory, and the cached item has a much better chance of hanging around. If the amount of memory for cached data is large enough to where repeated activity for that data continues to use the cache, the cache is a big win. If your cache is recycling so fast nothing is ever "in" the cache, you cache has almost no value. But the point is that the system will work with or without the cache, the cache is simply a performance enhancement.
A session, however, has a different contract. Many sessions have a specific, minimum lifespan, typically measured in minutes: 10, 20, even 30 minutes.
That means that if a user hit your site just once, you must dedicate resources to that user even if he never comes back. You have to, otherwise the session offer effectively no value.
If you get a lot of traffic, you get a lot of new sessions to manage. In theory, under bad circumstance, sessions can spike without limit. If you suddenly get 10,000 hits on your site, you get to manage the remains of those hits for the minimal lifespan of your session. You have to dedicate resources (memory or disk) to them, you have to keep track of them, and then, inevitably, you have to clean them up.
A cache is a fixed resource. It only grows to the size you configure it. You have no obligation to keep anything in the cache, and as discussed earlier, the system will function with or without the cache. Caches naturally recycle. If you get that surge of 10,000 hits, they'll possibly roll your cache, but after that they leave no mark on your system. They can hit and be gone in 1 or 2 minutes, never to be seen again.
Finally, with sessions, you need to share them among your infrastructure so that they travel with the user if they hop from machine to machine (for whatever reason). Caches don't. Ideally you want to keep a user local to a set of resources, so that the caches can do their job, but the system works whether they move or stay (it just works better if they stay, because of the cache reuse). If you don't replicate your sessions, they don't work at all.
DB hits add up, they can be cheap, but they're never free. But a session has its own costs as well, so it important to consider them both and how they apply within your architecture.
Currently, I'm just using SESSIONS. The client calls a login API, and any other API needed. But I'm concerned about the impact of having 200,000 people all calling this service and have all of those sessions.
Standard those sessions touch the disc because default session_save_handler is set to file. It is better for your system to not touch the disc(memory is much faster). You could try to override session_set_save_handler to use something different than file. For example you could have sessions be stored in:
- redis(I like the predis client). Even faster would be to install C extension, but need probably need root access to recompile PHP. If you have that many users you should probably own/rent VPS. The nice folks at http://redistogo.com provide you with free plans (5 MB) if you can't install anything on the computer. I mentioned above that you should be having the capability to install things if you really want to have performance.
- memcached
these in-memory databases also support better scaling. You should also be using these databases to cache the rest of your database-queries(MySQL?). You have to remember that touching the disc is very slow compared to just using memory.
You should also should install APC to get the best performance.
How is this typically handled? Like facebook, flickr, etc....
Nowadays you can't use any API without using OAuth(although I think authentication via sessions are easier to implement). It is the new de facto standard for doing authentication without having to share passwords. The creator of PHP(Rasmus) has made a tutorial explaining how to Writing an OAuth Provider Service. Searching oauth php in google you should get yourself more than enough information.
Also nowadays most of Facebook's site is using HipHop instead of the plain old PHP to speed up their website. PHP has open-sourced a lot of there works which you could/should use:
In PHP 5 you can use SoapClient on the WSDL to call the web service functions. For example:
$client = new SoapClient("some.wsdl");
and $client is now an object which has class methods as defined in some.wsdl. So if there was a method called getTime in the WSDL then you would just call:
$result = $client->getTime();
And the result of that would (obviously) be in the $result variable. You can use the __getFunctions method to return a list of all the available methods.
I've had great success with wsdl2php. It will automatically create wrapper classes for all objects and methods used in your web service.