I'll first start the session normally and then check the user's IP address and/or referrer against the IP address of the session and a list of valid referrers. If its an invalid (meaning the IP address doesn't match or the referrer is not in the list), I'll create a new unique session ID and set the session to that value using session_id with the new ID value as its argument.
I then start the session a second time (consecutive calls to session_start() do not appear to cause any errors in my testing), and unset the session (starting clean).
I can then proceed on, using the session as I would normally.
I've done some basic testing and this seems to work. I'm still curious what impact it will have if the user has a session cookie and they click a URL that has a session ID imbedded in it. It will be interesting to see which value takes presidence, the cookie or URL propogated session ID.
