I seem to have cobbled together a solution without using session data. What I've done was to create the download.php within my web root with an include to a second download.php outside the web root. This second file contains a query to my database (which requires DB login and password - that's why I put it outside the web root) and the above header generation code.

To use a standard link I have to employ the dynamic header within its own file (the link destination). This means I have to validate the email address one more time to prevent outside linking to this file. A little but of duplicated effort I suppose.

The initial php validates the input email address and passes it to download.php on the URL. The email address is again checked against the DB and if it passes the file download headers are generated (as above) otherwise not (shown a generic page).