Integration isn't rarely done and I've not looked at current mechanics. Can you utilize a custom authentication package in APEX, set the http header when you call PHP, and utilize a callback (to APEX or directly to the DB if the authentication state is stored in a table) to verify the header token value is current?
Yes we can utilise custom authentication. This is already the mechanic I'm using. As far as mechanics go, I thing any login system "RETURNS" the result to the calling function, whether ti be on login page of a function (aka silent logins).
I think the key is the APEX session id.
If you always pass the session id between PHP and APEX, then within PHP you could easily have a generic routines to get and set APEX session state values.
Really, you would be just writing wrappers around htmldb_util.get_session_state and htmldb_util.set_session_state.
If you wanted to store additional values from PHP, you could either use wwv_flow_preferences.get_preference and wwv_flow_preferences.set_preference, or create your own tables and api package.
Not sure how to go about the whole thing though. Need to give this some more thought.