The solution is to use a custom message header that is added to every call (you create a token after the initial log in and then send that token on every subsequent call - the token needs some kind of time currency and some extra property so that its source can be determined with a high degree of confidence to avoid spoofing). The following article describes what you want to do in the context of user authentication:
http://www.codeproject.com/Articles/352678/Add-Custom-Message-Header-in-WCF-4-Calls