Hi James,
I have no previous experience with this, but I would suggest doing something similar.
Instead of going directly to the server, you can likely do it via a .htaccess rule in the file root directory. A very similar solution is described in this article.
The solution is basically:
– The user has the link to the file, tries to open it
– Server recieves the request, checks the .htaccess for access rule
– If it matches, then checks for the login cookie, if it exists, then allows file access.
While this is not the most secure way, as the cookie can be created manually – but a generic visitor would not be able to figure that out. If you need a more robust solution, then this should be fine tuned further. Ex.: instead of checking a cookie, a request is made to a script that checks if the user is actually logged in via wordpress etc..
These are only my 2 cents 🙂 I would definitely go with the linked solution, it is likely the simplest to implement. It is out of the scope of the plugin though.