session.referer_check contains the substring you want to check each HTTP Referer for. If the Referer was sent by the client and the substring was not found the embedded session id will be marked as invalid. Defaults to the empty string.