For accessing websites from both mobile and browser you need API. This way users can login and perform other tasks through other devices. You need to secure the API with oauth or other solutions since the users can create resources. The users must be able to get authenticated using username, password and the token. Now you have to save the session. If you save it in a plain object in the memory, when you kill the server and reboot the session will be destroyed. Using haproxy you can load balance between machines then the session states will be stored in a single process so if the user is redirected to another machine or process, the user will be asked to authenticated again. So you have to store the session in a common place. After the user is authenticated access token is generated and send to user along with userid. Userid and accesstoken and expire time are stored in redis which is the inmemory datastructure store where we can store session etc. Every time the user performs any operation using REST API it will need to send userid and accesstoken. A new user will not have API token when they signup so they need to create an admin account with admin API token. Another method without using API token would be to use HTTPS and send username and password in authorization header.