Managing the login information in RESTful web app

Question

In a RESTful application, there's no state maintained between two requests. Each request is treated as a completely new one, even though it would have been sent by the same user. I.e. There's no session.

In that case, how does the User Login information handled by a REST application?

1. Is that, after a successful login, the server generates a security token and sends it to client and the client sends it back for each and every request there after?
2. If above is true, where the security token is stored in server? Database? (Remember: No session).