After much research, I solved it.

My folder system is setup like this:

/file-share/users-folder-name

My .htaccess file under /file-share is as follows:

# .htaccess /file-share

RewriteEngine On
RewriteBase /

# no cookie set    
RewriteCond %{HTTP_COOKIE} !^.*client.*$ [NC]
RewriteRule ^(.*)$ /file-share-redirect.php?q=$1 [NC,L]

# cookie set 
RewriteCond %{QUERY_STRING} !verified$ [NC]
RewriteCond %{HTTP_COOKIE} client=([^;]+) [NC]
RewriteRule ^(.*)$ /file-share/%1/$1?verified [NC,L,QSA]

# custom 404
ErrorDocument 404 /file-share-redirect.php?e=404&q=$1

#end

If the cookie is set and the file exists in the client’s folder then the client is redirected seamlessly to the requested file. The final file request is also given a url parameter to avoid a loop in redirection.

If a user is logged but the cookie is not set I have my file-share-redirect.php file create the cookie then redirect to the requested file. The cookie created in the code below is set to expire in an hour.

<?php setcookie('client', $users_folder_name, time()+3600); ?>

UPDATE

You can keep the cookie secure by using an encrypted cookie name and value. The cookie will only be created on systems where users log in.

PHP’s setcookie() will even let you create a cookie that is inaccessible from JavaScript. I double checked this.

The subfolder names will be quite complex, completely unguessable. No one will ever see the subfolder names except those with ftp access. Even those logged in will only see /_/filename.ext, without the subfolder.