session hash set from outside program?

I have had my new rails program up for a few days now. I'm running it on
Ubuntu 10.4 with apache2 in another location than the website it's made
for (it's a standalone database application for physiotherapists). The
people I made it for now want me to deploy it to the public part of
their website, only with one change. Those who open it via the link in
the public-part should not be able to click one button!

I was thinking of doing something like this in my view:

<% if session[:inside]%>
    <%=button_to 'Sækja mælitæki', @link_to_mt%>

How could I set session[:inside] only to true if the program was started
from within the private part of the webpage? I thought of creating two
new actions, the other would set session[:inside] to true and the other
to false, but that seems to me like a security risk, is it not?