You could add session_ids to block remote attacks: they are server-issued, rely on a server-side secret, bloat the URL, has you think about URL expiry etc. It is totally unrealistic that we would implement this for OpenACS though, too much work I fear. (One nitpicking side note is that the referer header is user-supplied and thus may be forged too.)
Relying on the referer header and being able to turn that off is imho a very sane solution. It provides close-to-optimal security with a minimum of fuss, new code, and UI hassles.
The stuff you've implemented (plan to implement?) should become part of the stock distro of OpenACS with a default setting of enabled.
