If $_SERVER['HTTP_REFERER'] is unreliable, what will I use instead to ensure web-app integrity?

Question

I thought I was being really slick by using the $_SERVER['HTTP_REFERER'] variable to guarantee my script was being called from the appropriate page.

Luckily, when I performed a header('Location: yourPathHere.php') redirect in my testing browser, it wouldn't set the $_SERVER['HTTP_REFERER'] variable. So I looked it up at http://php.net/manual/en/reserved.variables.server.php, only to find this...

'HTTP_REFERER'

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

So my question is: How can I guarantee my page is being navigated to from a trusted source?

EDIT: To clarify questions regarding the comments section. I'm trying to avoid XSRF (cross-site request forgery).

Answer 1

Relying on any user originated input for request verification is almost no better than no verification at all.

You should read this section on CSRF countermeasures from Wikipedia for a basic outline of available approaches to tackling the issue.

In short:

Web sites have various CSRF countermeasures available:

• Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions
• Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc)
• Limiting the lifetime of session cookies
• Ensuring that there is no crossdomain.xml file granting unintended access to Flash movies