Integration isn't rarely done and I've not looked at current mechanics. Can you utilize a custom authentication package in APEX, set the http header when you call PHP, and utilize a callback (to APEX or directly to the DB if the authentication state is stored in a table) to verify the header token value is current?
Yes we can utilise custom authentication. This is already the mechanic I'm using. As far as mechanics go, I thing any login system "RETURNS" the result to the calling function, whether ti be on login page of a function (aka silent logins).
I think the key is the APEX session id.
If you always pass the session id between PHP and APEX, then within PHP you could easily have a generic routines to get and set APEX session state values.
Really, you would be just writing wrappers around htmldb_util.get_session_state and htmldb_util.set_session_state.
If you wanted to store additional values from PHP, you could either use wwv_flow_preferences.get_preference and wwv_flow_preferences.set_preference, or create your own tables and api package.
Not sure how to go about the whole thing though. Need to give this some more thought.
It would be great to hear how you put it all together in the end.
It is also importance that your apex is to be flag as sign that it is authenticated.
Will post an update if I ever get it to work.