Cookies are more reliable than referrer detection.

"Hotlink protection" *is* referrer-based. And the reason it is unreliable and can be bypassed is that sending a referrer is *optional* for clients. Some don't send it, some "internet security" programs and browser settings block it, and referrers in requests from users behind ISP and corporate proxies will often be removed by the ISP or corporate caching proxy.

You cannot count on referrer-based solutions for 100% control.

As g1smd says, a cookies-based approach would be better. But then you have the problem that both servers must be in the same domain (although they could be in different subdomains of that domain if the cookie is so scoped.)

Assuming that siteA and siteB are different domains, you're going to need to do something like use a pass-key approach where siteA generates an encrypted one-time-only passkey string and includes it in the requested URL or as a query string attached to that URL to be requested from siteB. SiteB can check it for validity, note that it has been previously-used and is now expired, and return the requested file. SiteA also needs to note 'expired' passkeys, so as not to try to re-use them.

The linking page on siteA must be marked as non-cacheable, so that a new pass-key can be generated for any subsequent files to be requested from siteB.

There's probably several days' work here, unless you can find a good example to work from, or buy a ready-made scripted solution.

Jim