I have a PayPal "buy now" button that has a return URL which redirects to a download page after payment.

Only thing is that the user can copy and paste the URL of the download page and share it -which is a disaster-

And they can come back to the download page, which I do not want unless they paid; so each time they are redirected to the download page, the must have first paid.

How to secure the URL and check if user paid or not and if they paid they can be redirected to the download page other than that they should not be redirected.

Thanks for your help in advance.

Don't rely on the user accessing a particular URL to validate the order, you'll open yourself to fraud. I outlined these attacks as an example in A Gentle Introduction to Application Security, and gave the only real solution:

[S]erver-server API integration is the only real solution. Instead of relying on the user to click a URL (which is brittle even in a utopian world where no one acts maliciously), your checkout provider will tell your server which items were purchased and how much money was transmitted.

The best way to get started is the PayPal API documentation.