Let’s stay away from the “right” or “wrong” labels please, that’s exactly what causes at least half of the problems in this area!

RESTful URLs do not contain verbs, that’s a fact. Does that lend itself well to implementing something like a traditional login flow where a username and password is exchanged for a session cookie? Not really, but RESTful systems usually use a mechanism such as an Authentication header for this purpose. Or check out how GitHub allows you to create “authorizations” http://developer.github.com/v3/oauth as one alternative approach.