I have caller.php that calls a second file get.php with some parameters (note get.php is not a runtime include, but called only when a user clicks a button), i.e.,

Code:
file=get.php?doc=../../abc.mp3
Both caller.php and get.php are in publicly accessible folders. abc.mp3 resides in a level higher than public and not open.

I want get.php to work ONLY when called from caller.php. If get.php called directly from the browser it should result in an error message.

I don't want to use referrer checks if possible. Also, not looking for foolproof method, but something that is reasonably secure or will require a few steps each time to break.

I have considered passing a $secretkey from caller.php to get.php but anything I pass can be seen in the view source or headers? Also, session variables don't work well I think as I don't want user to go to caller.php first and then right after do a direct call to get.php because session key is set as that will trick get.php into working....

Is this possible? Any takers?