What you could do is create “cross-over” links between the sites to carry the session over.
The simplest way is to pass the session id via the query string; e.g.
http://whateverblammo.com/?sessid=XXYYZZ
Before you start thinking that anyone can trap that information, think about how your cookies are transferred; assuming you’re not using SSL, there’s not much difference for someone who taps the network.
That doesn’t mean it’s safe; for one, users could accidentally copy/paste the address bar and thus leaking out their session. To limit this exposure, you could immediately redirect to a page without the session id after receiving it.
Note that using mcrypt() on the session id won’t help much, because it’s not the visibility of the value that’s the problem; session hijacking doesn’t care about the underlying value, only its reproducibility of the url.
You have to make sure the id can be used only once; this can be done by creating a session variable that keeps track of the use count:
$_SESSION['extids'] = array();
$ext = md5(uniqid(mt_rand(), true)); // just a semi random diddy
$_SESSION['extids'][$ext] = 1;
$link = 'http://othersite/?' . http_build_query('sessid' => session_id() . '-' . $ext);
When received:
list($sid, $ext) = explode('-', $_GET['sessid']);
session_id($sid);
session_start();
if (isset($_SESSION['extids'][$ext])) {
// okay, make sure it can't be used again
unset($_SESSION['extids'][$ext]);
}
You need these links every time a boundary is crossed, because the session may have gotten regenerated since the last time.