How to do Authentication between a webservice and a mobile phone?

I want to make a windows mobile 6 cellphone application. This application will talk to a web service that I want to make.

I don't know much about web services and programming app for phones so I got a couple questions.

1. How do I do authentication? Like my user loads up my app and goes to the login page. They type in their credentials. This gets sent to the server and authenticated. Now what do I send back? Is there some sort of FormsAuthentication?

2. After they log in do I have to keep doing checks to see if they are logged in? Like in asp.net mvc I have AuthorizeAttributes on all my tags. That way no one can just type in the url to that action method and be able to access it. But since this is an application I am not sure if they could (say) go your login form (first form) and then somehow, without logging in, get to your main form (the one after the login form).

3. Do web services have Authorize tags like asp.net mvc? Since I probably need something along those lines to ensure no one types in their web brower my webservice path and get access to all those methods I made in it.

4. I am making a asp.net mvc application right now and when the user types their credentials on my site. It is sent what I am guessing is clear text? to the server hashed and then checked. I know maybe one day when I can afford it maybe to get ssl to make it more secure.

So my question how about with sending the credentials from the phone to the server will it be less secure than what I have for my website right now? About the same? What can be done to make it more secure (is it SSL again?).

Thanks

So would I have to send the credentials always over on every action? Like I see you made a new webServiceObject. So say I go to another form on my phone application and make a new webservice object. Do I need to resend the credentials?

You could also only send the authentication token instead of the credentials. In that case, you would first ask the web service for token passing in your credentials (either as a SOAP header or as regular web method parameters) and later use another SOAP header with a single property (Token) for all other web method calls. This way you don't need to use SSL for other calls while still keeping security away from your method signatures.

Whats an authentication token? How do I generate it? What happens if I wanted to add a role check to this authentication. Like I have 3 roles and some methods can only be used by certain roles. So I would have to check for that too.

Authentication token is something like a sessionId - it might be a string containing the hash of a user (like in psasik's answer) or simply a GUID. You would issue it in some sort of Login or Authenticate web method and then use to verify if other calls to the web service are made by the same user. On the service side you would usually store the generated tokens in some table along with a reference to the user table and the date of issuing (tokens are usually valid only for some time -- in the same way as web session expires).

Hmm I think I understand but is there any tutorial on this?

Check the codeproject link from my answer. As for the session id/authentication token - have a google around. It's a fairly common practice and it's in no way mobile device specific.