$HTTP_REFERER from secure server?

I have a script that tries to pick up the $HTTP_REFERER from a secure server on another domain, but it's not getting passed... is that normal?

Any other way to make sure visitors have come to a certain page from another page?

It's for checkout on a shopping cart, and I want to make sure visitors visit final order page after visiting paypal.com's secure pages.

Does that make sense?