For any method that needs to be POSTed to, you have to turn off the authenticity token check for that action, or that entire controller. This is as simple as:
Maintaining a session is usually done manually, where you have a /login that returns a login token, then every subsequent API request has to include that token or the request is dropped. It's up to the application to keep track of who is logged in and which tokens are valid.
If you want to use a real Rails session, then whatever you use to communicate needs to know how to work with cookies. There are plenty of HTTP client libraries out there, you'll need to find the one that works w/ what you need.