I will use the example of PL/SQL pages using the Oracle Web Toolkit and mod_plsql gateway. Distinct gateways or programming languages will have similar "web session" variables.
If a page can only be access by a POST form (for instance "password" forms or forms with documents upload) you should check it! (and naive use of the "bookmark page" could be the origin of calls using GET or a simple script program)
if owa_util.get_cgi_env( 'REQUEST_METHOD' ) ='POST' then
You can even check that the referer (the page where the form was submit) is from the expected site or is an specif page (the one(s) where you put the form)
If a page is only to be access by a AJAX check
OWA_UTIL.get_cgi_env ('X-Requested-With') is not null
In mod_plsql needs DAD configuration to have
These methods only avoid some fast hacking techniques and some naive misuse, an hacker can avoid that "security" if they know of it
Advice: show an error message exactly like the one you show if the user do not have access credentials or the password entered was wrong (in case of password forms) so the hacker will get in doubt about the origin of the error.
Versão em português do Post