There are some browser that can be instructed to not to send or send a fake referer.
Better follow the first advice of Y!!. You can implement a behaviour for your application, and in beforRequest, for example, you can set the CWebuser::returnUrl (or, if you don’t like this name, you can set wherever you want in the session the return url) and then use this value for the back button.
You can also save an array instead of a single value (in this case you are forced to use something in session, for example a new var named path_in_the_site). You can send a variable with the back button and do something nice like this:
public function beforeRequest()
if (isset($_GET['back'])) //if has been pressed the back button
// delete the last visited page
This allows you to do more than one back, following backward all the path the user did