I'm writing an iPhone app to be the mobile version of my website.

I intend to expose some REST API so the app can update the user's data.

I do not wish the user to login every time, but I want to save his token/cookie and reuse it for all future requests.

I can setup a random token and pass it along with the user ID, but it's not very secure since it's easy to access it on a jailbroken device. I cannot restrict it using an IP, since the IP will probably change frequently (since it's a mobile device).

What's the best way to implement such an authentication which will be secure enough but won't annoy the user by asking him to authenticate himself often?

send the UDID or mac address with the initial login details to your server. create a unique token for this user/UDID (or mac) combination and send it back(encrypted) to the device if username/pass is successful. on subsequent access, the device sends the encrypted token and UDID/mac (over secure connection) for re-authentication.

if you want to put paranoid people at ease about tracking UDID, you could instead use the UDID/mac to salt the encrypted token, but this wont be as secure, but should do the job still.