in reply to hide direct link script

That's a lot of work already and you've only just started to scratch the surface of all the things you need to consider for a full featured restartable download (etags etc).

Much simpler to simply have the CGI generate an internal redirect to a location holding the file and use web server configuration directives to cause it to reject HTTP direct requests to that location. This way the web server does all the hard work for you. You probably want to avoid the server putting on Content-location: headers too so that real smart browsers don't get the idea that they should be able to bypass your script.