One mechanism is to use mod_perl authentication handler to control access to the content. If you are using cookies, the handler validates the cookies and allows access to the content file. Apache::AuthCookie provides a base class for this.

If you are willing to feed the content dynamicaly through a CGI script, then the CGI script can check the cookie and push the file to the client. The content files don't need to be visible through the web server for this to work.

You can even make the URL look like a static file by using the path info after the URL to the script.

http://www.example.com/cgi-bin/content.cgi/foo.txt
[download]

$cgi->path_info eq '/foo.txt'
[download]