Why exactly are you using the URL for anything related to security? Do you not have a credentials based log-in session setup? /TheClearAndEasyToUnderstandFileName or just /YourFiles is a whole lot cleaner and easier to deal with from a user's standpoint.
I guess that is already answered by ronan.thibault: his server should not contain any user data at all:
We don't really store "Customer data", what can be hacked (not on our system, but outside as it transit on the net) are actual 3D models generated from sets of pictures of a given person, those are pretty much uninteresting except for the given person.
So I guess he intends to use the URL to contain such session information (how exactly he handles session failures like browser crashes and so on without the customer loosing access to the generated model IDK, but he mentioned that he only described the service and how it works in parts, which is understandable)...
There's no "user" nor "session" nor "login", it's public access, if you have the url you can download the file, there's nothing to keep, there's no webpage, you get a link, you click on it, you download, if you have the link then you have the rights to download without providing other proofs.
From a user standpoint it changes nothing, they get an email to download "model.zip" link which is a link to the long url, they click, they get a popup to download model.zip asking where to save it, they don't type nor see the url.
