Probably the same way WordPress creates/modifies a .htaccess file.

You simply need to create a script that will generate the correct file contents for a .htpass or a .htaccess file.

When a user purchases something, add a line to the .htpass file that contains the user/pass combination, and all them to a group (probably based on filename). Then, only allow that group to access that file.

Another way to do this would be through databases.

First, when the user makes a payment, have a few tables to store their data.

First Table: User/Password

This stores the email/password combination that must be used to gain access to the users files. Basically the table consists of

int Unq_ID | text Email_Addr | varchar(150) Password

That holds your user/pass combinations.

Second Table: Files

This table holds all of your files names, IDs and where they are created.

int Unq_ID | varchar(150) Name | text Directory

Third Table: Relationship

This last table holds the relationship between the User and the Password. Also very simple:

int Unq_ID | int User_ID | int Product_ID

Basically, if the person logs in with a valid Username/Password, you go grab relationship entries that match their User_ID, and join the files with on the Product ID. To verify they can download something, simply check that an entry exists that has the right User_ID and Product_ID.

To protect a file from being accessed, make an htaccess file like this

RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^.+$ [NC]
RewriteRule .* - [F,L]

which deny from anyone accept PHP’s fopen function. Then you just create a PHP script that grabs the contents, and presents it as a download.