wow. this is really useful.
I also used

Content-Disposition: attachment; filename="$filename"\n

To set the filename when they get to my script download.cgi

For sessioning etc I am using a mysql table. The table keeps the user id, the timestamp start time, the timestampt last access time, the session id, the ip the session is valid for, some other details about what the user is doing right now.
For example, this is where i am keeping their last selected file id.
They can browse files they have been assigned access to, and if they select the file- the script double checks they have authority to that file and inserts the file id into their session row (in the mysql sessions table).

This way, if they choose to download, we already know what from a previous step.

By the way, this app will work via ssl. and I am going to seek out for the app to check that it *is* serving via ssl. Otherwise poop out. I know, to open source this, i have to allow for an override.

Man.. am I glad I came here for help. You guys rock. I have absolutely no problems with being told where i'm messing up- I bow before you.

background
This app is being made to allow business to share their docs with clients. They need some strange customizations for allowing very precise per client access to files and what they can do with them. I want to open source the basic system for everyone to use, and I am struggling to keep any customizations as far appart from the basic thing as possible. I hope to have it up on sourceforge in a few months. I know it will get shot out of the sky for stupidity, but- I trust the process.