Your best bet is to build some kind of ACL functionality into the webserver.

If you really can't do that, then the CGI version you're describing is doable. But I wouldn't worry about putting the URL in a database or anything like that. You're not interested in hiding the address, just restricting access to it. I'd just use the filename in the URL: http://www.tmtm.com/cgi-bin/get_file?name=foo.pdf

Then I'd just move the documents outside the webtree, check if the user is allowed, and if so serve up the required document.

Tony