I'm creating your standard login in PHP. It relies on the user's session remaining the same to keep the user logged in. The session has been persisting as expected on desktop browsers, Safari on iOS, and webview in Facebook iOS app. However, it is not persisting on webview in Twitter iOS app.

I have this simple page to print out the session:

<?php
        session_start();
?>
<html>
<body>
<h1>$_SESSION</h1>
<?php
        print_r($_SESSION);
?>
<h1>$_COOKIE</h1>
<?php
        print_R($_COOKIE);
?>
</body>
</html>

Safari on iOS

1. Open the page in Safari on iOS.
2. Reload the page 10 times.
3. The same session ID is printed every time.

Facebook on iOS

1. Post the link to your Facebook wall.
2. Tap the link 10 times.
3. The same session ID is printed every time.

Twitter on iOS

1. Tweet the link on Twitter.
2. Tap the link 10 times.
3. The session ID is missing every time.

The only major difference between Twitter and everyone else is that Twitter converts all links with their shortening service. If you inspect the website source code of your posts, you'll see:

<a href="t.co/someCode">yourOriginalLink.com</a>

This affects your referrer. But how exactly would the referer screw up your session?

I know other websites have gotten sessions to persist on Twitter because I've logged in on those other apps and I remain logged in every time I launch their site. You can look at Meerkat for example. Just search for #meerkat in your Twitter iOS app and click on the link in any of the tweets. You'll be asked to log in. If you click on a second Meerkat link, it will remember that you've already logged in before.

Twitter iOS app destroys its session whenever the webview is dismissed. In standard cookie management, cookies without any explicit expiration are cleared when the session is over. We want to persist the cookie so that the user doesn't have to login over and over.

     $params = session_get_cookie_params();
     setcookie(
         session_name(),
         $_COOKIE[session_name()],
         time() + 60 * 60 * 24 * 365,
         $params["path"],
         $params["domain"],
         $params["secure"],
         $params["httponly"]
     );

Facebook app doesn't clear the cookies whenever the webview disappears, probably because it has smart cacheing logic to keep the webview in memory instead of deallocating it.

Unfortunately any app using a UIWebview is unlikely to persist your cookies. It's an issue we face every day at Branch, because we use cookies when deeplinking to know whether to take any given user to an app versus the App Store / Play Store.

One workaround is to always take the user to Safari, since your cookie can be persisted there. Then you can redirect to wherever you wanted to take the user. First party cookies in Safari are persisted. 3rd party cookies are often not persisted, even in Safari. Hopefully this helps.