To really protect those documents, you'll probably need to basically re-authorize the user on each request. You can either roll your own authentication, or you can use the HTTP basic authentication scheme.

If you choose the former, you'll probably want to have a login screen; then authenticate the user, set a cookie, and let the user view the documents. On each request for a document, check for the authentication cookie: if it exists, let the user view the doc; if it doesn't exist, make the user log in again.

If you choose to go with basic authentication, you'll want to authenticate out of your database, since you already have the username/password info in there. Check out Apache::AuthDBI (on CPAN) for doing basic authentication out of a database for which you have a DBI driver.