Users can go to your page using various methods:
- By entering the URL of your page directly into the address bar of your browser
- By clicking on the link to your site from another site
- Overloading the current page
- Submitting a form to your site (sending a POST request to your site)
- Move the buttons back / forward of your browser.
- Redirects from the previous page to the current page.
Now browsers really differ in how and when they set the referrer header field. But, as a rule, you can be sure that when you click a link or when submitting a form (post request) they set the referrer field. Also, if you went to the current page through a redirect or link, the browser still saves the referrer header to F5 (reloading the page).
If you see that your referrer field is empty, this is because someone knows your URL of the login page and enters it directly into the address bar, or someone bookmarks, therefore sends a GET request.
As a rule, you should not always expect the referrer field, because it is out of your control. You must use cookies or query strings because they are under your control.