Thanks once again for your replies...all very interesting and useful comments. I should probably explain a little more about my set-up...
I mentioned earlier that I am running the same script within 2 separate folders, accessing 2 separate databases, acting as 2 separate sites.
What I actually have is a single (common) codebase located above the web root. I have then created 2 skeletal directories ("folder1" and "folder2") and into each of these folders I have added a config file and an index file. The config file sets up the site-specifics (like the database connection) and the index file accesses the common codebase. The index file acts as a Front Controller for the site.
This arrangement allows me to utilise the same codebase for each "site" with a very rapid set-up time, and easy management of updates. The script itself is an application that will (eventually) be used by multiple clients (each located in their own folder) which is the reason I want to keep the data separate by using separate databases for each site.
However, if I have a user who has just logged into "folder1" and they then browse to "folder2", their session will still be valid and the chances are that it may relate to a user in the other database. I am currently setting the session.cookie_path to limit the session cookie's scope to a particular folder, but as I have found out - this is an insecure method of limiting a users access, because the cookie path can be tampered with.
I guess the reason for posting this thread was that I was surprised that PHP does not have a feature to limit the scope of the session to a particular path on a domain, other than through setting the cookie path, which can so easily be tampered with.
I would have thought that a session path value could have been stored on the server, at the point that the session was created. PHP would only then recognise the session when pages within that path were accessed. I am sure there are reasons why this was not implemented, but it seems like a fairly straight forward feature.
I think for the time being, my best bet is to do what Kromey suggested and set a $_SESSION['path'] variable that I can then check to ensure a user only has access to a specific folder. I also take on board Auricle's comments about bringing the user data together in a single database so that logins can be managed centrally. This would involve a fundamental redesign of my script, but it may well be necessary!