session hash set from outside program?

Hi, I have had my new rails program up for a few days now. I'm running it on Ubuntu 10.4 with apache2 in another location than the website it's made for (it's a standalone database application for physiotherapists). The people I made it for now want me to deploy it to the public part of their website, only with one change. Those who open it via the link in the public-part should not be able to click one button!

I was thinking of doing something like this in my view:

<% if session[:inside]%>     <%=button_to 'Sækja mælitæki', @link_to_mt%> <%end%>

How could I set session[:inside] only to true if the program was started from within the private part of the webpage? I thought of creating two new actions, the other would set session[:inside] to true and the other to false, but that seems to me like a security risk, is it not?

BR, Sindri