To really protect those documents, you'll probably
need to basically re-authorize the user on each
request. You can either roll your own
authentication, or you can use the HTTP basic
authentication scheme.
If you choose the former, you'll probably want to
have a login screen; then authenticate the user,
set a cookie, and let the user view the documents.
On each request for a document, check for the
authentication cookie: if it exists, let the user
view the doc; if it doesn't exist, make the user
log in again.
If you choose to go with basic authentication,
you'll want to authenticate out of your database,
since you already have the username/password
info in there. Check out Apache::AuthDBI (on
CPAN) for doing basic authentication out of
a database for which you have a DBI driver.