services_post_authenticate.php

<?php
/**
 * Performs authentication and returns required headers.
 */
function EXAMPLE_post_authenticate($endpoint_url) {

  $user_login = array(
    'name' => 'username',
    'pass' => 'password'
  );

  $endpoint_url = rtrim($endpoint_url, '/');
  $base_url     = preg_replace('#^(.+?\w)(?:\/.*?)?$#', '$1', $endpoint_url);
  $services_url = $base_url . '/services';

  $options = array(
    'headers' => array(
      'Content-Type' => 'application/x-www-form-urlencoded',
      'Accept'       => 'application/json',
    ),
    'method' => 'POST',
    'data'   => http_build_query($user_login, '', '&')
  );
  $response = drupal_http_request($endpoint_url . '/user/login', $options);

  $data = json_decode($response->data);
  if($response->code != 200) {
    return false;
  }
  $headers['Cookie'] = $data->session_name . '=' . $data->sessid;

  // Now that we have a session, retrieve the CSRF token
  $response = drupal_http_request($services_url . '/session/token', array('headers' => $headers));
  $headers['X-CSRF-Token'] = $response->data;

  return $headers;
}