Referrer information is easily modified - the server can't "see" what the last page they were on was, the visitor's browser TELLS the server though the headers what the referring document was. Since this information is coming from the client, not from the server, it's easy for the client to change this part of the host headers and request the page with a fake referrer.

While I don't do it much anymore, I can't tell you how many times I altered the referrer information to get access to content that was "protected" in this way.

My advice would be to set a session variable on the page that you want to be the "referrer" and then request that variable on the other page. If the variable exists, show the page. If not, redirect them somewhere else (the code to request the variable and redirect can be an include that you just drop into every page you want to protect).

Another option, would be to actually make the protected area password-protected, and include the user/pass in the previous link. like [user:pass@yoursite.com...] so the login dialog box doesn't come up. Then you can change that password as often as you want and update your links.

Unfortunately, the [user:pass@yoursite.com...] no longer works, since MS KB# [support.microsoft.com...]

I have already tried that option. Most of our users have IE. I would try a work-around for the user:pass@www.yoursite.com, however could not find any easy options or scripts that actually work.

I am stuck with using the htaccess [for reasons :( ]Is there a way to protect the folder using .htaccess and pass the information in a file, if from a specified location? Or is there a script I can use that will avoid using the popup (custom login form)?