How can I read session variables directly in Objective-C for my iOS application?

Question

I'm writing an application which needs to be able to log into the Internet. The iOS part of the app is written in Objective-C and the server side is written in PHP. Those PHP functions are called by both the iOS app and the website.

The code to retrieve data from the database works fine. I can populate my tables in iOS and I can also add data to the database by calling PHP functions (using NSURLSession and NSURLRequest). But now I want to add functionality to update secure pages (account management), and for this I intended to set cookies for the session. In PHP this doesn't present a problem. I can check that the login was successful and then set (and unset) using the following code:

if(session_status() !== PHP_SESSION_ACTIVE) session_start();
if ($_POST['username'] == $username && password_verify($_POST['passhash'], $passwordhash)) {
   $_SESSION['loggedin'] = true;
   $_SESSION['username'] = $username;
} else {
   $_SESSION['loggedin'] = false;
   $_SESSION['username'] = '';
}

I can then check to see if I'm logged in as follows:

if(session_status() !== PHP_SESSION_ACTIVE) session_start();
if (isset($_SESSION['username']) && ($_SESSION['username'] != '') && isset($_SESSION['loggedin']) && $_SESSION['loggedin']) {
  return true;
} else {
  return false;
}

I could always call these functions from Objective-C (the same way that I populate and retrieve data from my tables), but this seems inefficient. I have an NSURLSession so (I would have thought) it should be possible to see these values directly without calling PHP code on my website.

The problem is that I can't quite workout how. NSURLSession doesn't seem be quite right and NSHTTPCookieStorage seems to persist between sessions, which is definitely wrong. My understanding of how this all hooks together is clearly wrong. Can anyone set me straight?

If possible, I do want to be able to continue sharing as much code between website and app as possible (so setting the cookies for login for example), but not when it doesn't make sense to do so - like calling out to the server for information which should be available to me locally.