You need to go through the main index.php, that’s how all frameworks works (Slim, Symfony, Laravel, etc.), that’s why URL rewrite is required. Never try to access a particular .php by file name. Old version security systems are based on session variables named with project name only, so it worked. With newer versions, the user is refreshed from session on every request for better security. The security token is based on the user, not project ID or project name.
When you enter a sub site, you need to go through the index.php of the sub site. If the security settings for all projects are exactly the same (especially same users table), the authentication token should be the same, it should also work.
(You may also consider SSO by SAML. For example, SimpleSAMLphp.)