http_referer lost using https

Question

Picture two web pages, both viewed using https. They reside on different domains.

How can I (reasonably) ensure that someone arriving at my page came via a hyperlin

Answer 1

Whether or not the RFCs allow the sending of http_referer or not, you'll find that many web clients and/or the proxies or other privacy-related gateways between it and the server will remove or spoof the http_referer in the header, rending most http_referer-based "authentication" scheme partially functional at best.

If you have some collaboration with the custodian of the first https server, you may agree on passing along a time+something_else-based hash code of sort in the requests to your server. By verifying the hashcode on your end, you'll known your https visitor came from the other server [very recently].