I am not going into forging HTTP_REFERER, if interested search google for "forge HTTP REFERER" and see that is a client sent http header. As for verifying the location that linked to your side you can perform many veriations of this including the page that refers to you calling a ssi script that talks to youtr host and generates a session url to show as the link. really there are tons of ways this can be done securly -- lol look at how porn sites do it.

-Waswas