There's many legitimate uses for them, but while they're convenient for preventing hot linking, they're not necessary. Preventing hotlinking can be done easily enough by appending a url argument that changes regularly, and can be made performant by adding that argument checking to the configuration of your frontend/caching servers.
Not a bad idea, but you could probably just use the session ID (or a unique ID linked to the users session if it's a secure site). So when the session expires, so does access to the content. The drawback to this is you're exponentially increasing DB i/o.
Personally though, I'd rather not block hotlinking. But I understand why some people are against it.
