Is there any HTTP-headers or meta-tags one can use to avoid getting a URL into the browser history?

For example, I don't want

http://domain.td/show/super-secret-unique-token-that-is-private

to show up in the browser URL bar, when I start typing "domain.t".

Currently I have a (POST) search form on the website to load the tokens, and they don't come up. But later I want to load the tokens via links, from let's say an album.

I don't think you can.

You can save the token as a cookie, or use it as a GET param but make it expire every 15 minutes or so (and regenerate a new one on every page load). Also check for the same user agent, and if you want to go down the IP road, IP address (however it can give false positives, I wouldn't recommend it).

Decided to use a map that I save in the browser session. This way i can pass the tokenKey throgh the URL and get the variable back afterwards.

I wrote this little extended class of Zend_Session_Namespace and added 'add' and 'get' functions.

<?php

class My_Session_Tokens extends Zend_Session_Namespace {

    protected $_namespace = "Tokens";

    public function __construct($namespace = 'Tokens', $singleInstance = false)
    {
        parent::__construct($namespace, $singleInstance);
    }

    public function add($token) {
        if($tokenKey = $this->hasToken($token)) {
            return $tokenKey;
        }

        do { $tokenKey = uniqid(); } while(isset($this->$tokenKey));

        $this->$tokenKey = $token;
        return $tokenKey;
    }

    public function get($tokenKey) {
        if(isset($tokenKey)) {
            return $this->$tokenKey;
        }
        return null;
    }

    public function hasToken($token) {
        foreach($this as $key => $val) {
            if($val === $token) return $key;
        }
        return false;
    }
}