Making S3 objects viewable only for logged in users


As a service provider, I allow logged in users to upload documents to a web server, and upload it to S3. The logged in user should subsequently be able to view his own documents, and I want to serve it directly from S3, with some token-based authentication per request.

I thought that this was a pretty simple and standard use case for S3, but I am unable to find a standard way to this.

Does S3 effectively support per request authentication at object level, and what is the "correct" or "standard" way to do this.

I have read some documentation for STS, but am not able to find a clear way to solve this.

Pre signed urls almost works; the only difficulty is that that it seems to only work with a pre-set expiration time, and "logout" is not supported.