How about passing the session token as an argument to the ApiRequest
instead? You could then wrap calls up in a simple method for use in your controllers:
# in base controller class
def api(resource, params)
ApiRequest.new @session[:token], '/user/login', params
end
This has the advantage that session parameters are kept at the controller level, eliminating the need to persist state information in your model (where it probably shouldn't be).