I guess what you want to do is protect your images from being accessed when somebody is not logged in.
Your setup seems to be a.com/session.php needs to check authentication for an user to access b.com/image.jpg. I don't think this is possible in the way you described it.
What you can do:
- Put session.php and image.jpg on the
same file system and read image.jpg
through session.php. Bad PHP overhead
here!
- Use a more cryptic file name for
b.com/image.jpg that cannot be
guessed easily. The file will can
only be accessed by somebody who
knows the url. All the big guys do
that (facebook, flickr).
- Install a second authentication
mechanism on b.com (e.g. HTTP basic
authentication). HTTP-Redirect from
a.com/session.php with appropriate
headers. This is also PHP Overhead
and an additional HTTP request for
the user. Not sure if this works in
all browsers for embedded images.
- Install user certificates and
authenticate users over HTTPS at b.com.
There is certainly more, but you should probably go with cryptic and long file names. They are easy to implement and once a trusted user has seen an image, he can do whatever he likes with it e.g. upload it somewhere else. Your images aren't safe if you put them online for others to see anyways.