Action caching will help improve matters, but if you need to
authenticate for every image, you are already in a bad place for
Lighttpd and I'm sure other servers have a way of serving 'secure'
downloads. This works by putting a token into the URL for each image
when you generate the HTML. This token will expire shortly, so only
that user will be able to read those images. The images are then
served directly by the web server (but only if the token is valid).
I've seen this technique used for downloading purchased MP3 files, and
it worked as advertised.
More info (including a Rails example) at the mod_secdownload page: