Barry, your check on the referrer sounds like a good way to stop remote-site attacks. It enforces proper behavior for people who access privileged areas. Would the check be applicable to any page requiring privileges? Such a security feature could be enabled out-of-the-box, but admins like Jonathan could turn the feature off to prevent his descent into psychosis.
