Thanks everyone for your input!

Here's a bit more info which surely will effect the final solution I put together from all your awesome help and advice!

Site A (the referring site) I have no access to write code for... the only thing they will do for us is adjust the link. I was going to have them tag on an encrypted timestamp, and on Site B, have it validate and allow that timestamp for a period of 5 minutes or so. Exactly like jhourcle suggested - seems the best idea (if not only possible one!)

Once the user successfully gets to Site B - they have to login to access sensitive areas, so I dont need the most secure method available. In fact, if they were not linking to us from a secure server, using the http referer would have been enough to work.

The last bit of info... someone mentioned creating a database of valid links we'd allow - trouble with this is we dont even want someone bookmarking the entrance pages.

How about some sort of Apache or httaccess rules? IP filtering maybe? Is there another method to grab some sort of referrer or IP other than environment variable?

thanks
chris