Your options:
- Use a session based system. Keep track of the last page each session was on. And then:
- Encode both the source and destination in your URLS. If the source is wrong, you know something happened, or:
- Keep a list of pages that may be accessed by each page. When somebody requests a page, make sure that it is valid from the last visited page.
- Encode a unique request ID with every page you server. If you see the same request ID twice, you know somebody made two requests from the same page. Or encode a unique key in your URLs such that each URL is only valid once.
UPDATE I guess this was post #200 for me. I thought I was going to come up with something meaningful for this special number, but I guess I'll wait till 250 now...