We host our images on Amazon S3, and serve them through Amazon Cloudfront. We'd like to reduce our bandwidth expenses. We believe that we have quite a bit of bandwidth theft, and want to start using signed URLs to prevent this. However, we have to balance this against the fact that each time we send out a new signed url, it invalidates the browser caches for the image.
Our current plan is to generate a signed url that is valid for two months, then cache it locally and serve it for a month, before generating a new signed URL. This will allow the browser to cache the images for longer. However, this also means that anyone can then leech bandwidth for an image for up to two months.
Is there any way to have the link expire sooner, but have the browser continue to cache that image? I know that the etag and If-Modified-Since for the image do not change when the url is resigned for a new timestamp, but the the browser no longer knows to send those values in the header, because as far as it is concerned, this is a new URL. Is there any way around this problem?