Action caching will help improve matters, but if you need to
authenticate for every image, you are already in a bad place for
performance.
Lighttpd and I'm sure other servers have a way of serving 'secure'
downloads. This works by putting a token into the URL for each image
when you generate the HTML. This token will expire shortly, so only
that user will be able to read those images. The images are then
served directly by the web server (but only if the token is valid).
I've seen this technique used for downloading purchased MP3 files, and
it worked as advertised.
More info (including a Rails example) at the mod_secdownload page:
I have a plugin that extends Rails Action Caching to use the X-
Sendfile header on lighttpd or the equivalent on nginx to send the
cached file, so your Rails code only needs to care about action
caching, and all the magic will be enabled by the server
configuration.
There's a gem that is supposed to take care of this on Mongrel,
although I haven't tried it. We're about to tackle the same issue so
if you use this and it works for you would you mind dropping us a
line?