1. In the application I plan to release soon, members will be able to add images using BBCode. Those images would have to be hosted on another server, not on mine.

2. I allow users with cookies disabled to browse my site and to log in, in which case there would be a PHPSESSID (their session ID) in the URL for every page.

The problem: what would prevent a malicious user to place an image somewhere and look at his statistics (webserver log) to get the referers for that image, then check if their are some PHPSESSID in there and use those to try to log as the victime?

Is there a way I could hide the "referer" information when displaying those images?

Would calling a php script, that would redirect to the image, work? Would that hide the referer?

<img src="imgRedirect.php?path=http://www.example.com/realImgPath.jpg" />

Any other idea?