You can disable the ini setting for session cookies.
ini_set('session.use_cookies', '0');
session_id($your_session_token);
session_start();
Example:
authentication api - .../sessions/
...
check username/password ... other things
...
ini_set('session.use_cookies', '0');
session_start();
$_SESSION['user_stuff'] = $stuff;
$_SESSION['other_things'] = $things;
...
print session_id() along with whatever else is needed in the response body
the actual service - .../some_other_service_url/?session_id=[session_id]
ini_set('session.use_cookies', '0');
session_id($_GET['session_id']);//I'm not sure where PHP will look for it by default and I'm too lazy to check, so I'm making sure its $_GET['session_id']
session_start();
if(!$_SESSION['user_stuff']) {
session token is missing, invalid or expired. the client needs to reauthenticate
}
do some useful things