It sounds like you aren't authenticating requests that send a valid session id. Isn't that your root problem? Are you building obscurity instead of security?

You can't keep URLs private. They'll show up in HTTP headers, log files, browser histories, bookmarks, cut and paste buffers, plain text e-mails, etc.

Session IDs should only identify session state stored on your server; they should not grant access or leak the contents of your server. Ideally the client authenticates using digest mode or some other challenge response system. (Modern browsers even do this correctly.) If you have lots of CPU, basic authentication over HTTPS is also good. If your data isn't sensitive, you could "trust" an IP address for a limited time.

At the very least, add an authentication step to your code. It will make your security solution easy to understand. And big red flags will wave if you see:

sub authenticate_user {
   return 1
}
[download]