I need to pass security without prompting user name and password request from a site (site 1) to an ArcGIS web app (site 2). I know how to do a part of it with the proxy but this only cover the side of the GIS APP itself to the secured content (from site 2 to my secured content in ArcGIS online). What is missing for me is a way serve the app (site 2) itself only for people who came from a specific site (site 1). I can do it with URL rewrite module in IIS the why to do it is to check who is the referrer but that is too weak.
Is there a way to serve site 2 only for people who came from site 1 with something stronger then to see the referrer?