How to restrict access to image folder depending on whether product is purchased or not?

I found an acceptable solution to my problem. The solution has a few steps:

  1. I used .htaccess to deny direct access to the emoticon files for everybody

  2. I created a simple PHP file in the plugin folder. The PHP file acts as a proxy for the images (I pass it the path to the emoticon via a GET parameter). Since the PHP file does not include the whole WordPress infrastructure the proxy works very fast. I also do a very basic check of a cookie (emoticon_set_name=md5(emoticon_set_name))

  3. In the WordPress plugin I use the init action to set the cookie values according to the emoticon sets that the user bought.

The MD5 encryption can be substituted for any kind of encryption and the cookie value encrypted can be combined with other cookie values to make it more difficult for the user to directly key in the cookie in the browser.