Ok, this looks pretty typical. You also need to show your snippet of code that does the session-based checking for pages that require authentication.
As you know, sessions work by sending your users a cookie with a random token (session id.) Each time you call session_start() on a page, that page watches for the cookie with it's corresponding session id (or creates a session and sends a cookie if no cookie is sent.) Cookies are only sent back to a website if its url matches the url of where the cookie was originally obtained. In other words, browsers are not supposed to share cookies with other urls. So I ask, do these websites use the same url? I guess an example would be that each one has it's own folder under the same url.
Now it seems that a malicious user should be able to see what the session id is for one authenticated website (look at http headers, etc) and pass it in a url for another website. If session.use_trans_sid is enabled, this action, in theory, would tell php, "look for a previous session called: 75baed2b542603e49e16ea01b32f2d3e and use it." I do not believe php uses anything to identify a session other than this session id. In fact, it's probably trivial to send an http header with PHPSESS=75baed2b542603e49e16ea01b32f2d3e added to the cookie even if session.use_trans_sid is disabled.
Just to be safe, I'd start injecting server name into my session:
//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
$_SESSION['MM_Name'] = $loginStrName;
$_SESSION['MM_Servername'] = $_SERVER['SERVER_NAME'];
Then in your authentication checks include:
if ( !(isset($_SESSION['MM_Servername']) && $_SERVER['SERVER_NAME'] == $_SESSION['MM_Servername']) ) {
header("Location: ". $MM_redirectLoginFailed );
}