Is the point of the self.username and self.password Active Resource fields to authenticate the application that wants to consume the API? If this is correct I would still need a separate authentication system such as sessions or cookies to manage the end users who sign into my application.
It is correct that the self.username and self.password for ActiveResource are used for authenticating with the remote service. They utilize HTTP Authentication to communicate.
See: http://api.rubyonrails.org/classes/ActiveResource/Base.html -- Authentication section.