Relying on $ENV{'HTTP_REFERER'} is not secure anyway, so you might as well go and tack something to the requested URL. It is trivial to fake the referrer. You could, for example, store the handed-out URLs in a database and only recognize these as valid, as a solution.