I think there are two solutions in your list that fit your use case best; the read query before the update (solution 2) and sending an update token with the read request (solution 5).
If you're worried about performance, I'd decide on one or the other depending on how many reads vs updates to a resource you expect. If you expect way more updates than reads, then obviously solution 5 is better, because you don't need to do an additional database fetch to figure out the owner of the resource.
However, you shouldn't forget the security implications of giving out an update token. With solution 2, assuming authentication is secure, then updating a resource is probably also secure because you determine the owner of a resource on the server.
With solution 5, You don't double-check the claim the client makes, except that you check for a valid signature. If you're letting the update happen over a cleartext link (eg, no SSL), then only encoding the resource and user id in the token isn't secure. For one, you're opening yourself to replay attacks, so you should include a nonce that grows with each request. Also, if you don't encode a timestamp/expiration date in the update token, you basically give indefinite update access to anyone who has that token. Finally, if you don't want the nonce, then you should at least include an hmac of the fetched resource, so that the update token is only valid for the state of the resource as it was fetched. This makes replay attacks more difficult and further limits the damage knowledge of the update token can do, since the update token is only valid when the resource is in the given state.
I think that even if you're communicating over a secure link, adding a nonce (or at least an hmac of the state of the resource) and an expiration date for the update token would be a clever thing to do. I don't know the application domain, but you may deal with malicious users and they might wreck all kinds of havoc with the power of unlimited update access to their own resources.
Adding a nonce will mean an additional column per resource in your database where you store the value of the nonce you sent with the last fetch request. You can compute the hmac over the serialized json representation of your resource. You can then send your token not as part of the message body but as an additional HTTP header.
Oh, and I'd use a token, not a URL; in REST, the update URL for a given resource should be the same URL the resource was fetched from, right? I'd move all authentication & authorization-related stuff to the HTTP headers, e.g. you could provide the update token in the Authorization Header of the PUT request.
Note that adding a nonce that grows with each resource fetch will also require a database update (the new value for the nonce) for each resource fetch request (although you may get away with only updating the nonce when the state of the resource is actually changed, so it would be free from a performance standpoint), unless you want to keep that information in transient memory and simply have the clients retry when your server is restarted between a fetch and an update request.
A side note to your solution 4 (client side sessions): Depending on the number of resources your users can create, the session size might not be a problem. The client side session update problem might be fairly easy to solve, as well: If an update request to a resource fails because the resource is not listed in the session data you received from your client, but the user is correct, then you do a check in the backend whether the session data from that client is outdated. If it is, you allow the update and send back an updated cookie with the answer to the update request. This will only cause a database lookup when a user tries to update a resource from a client with outdated local session data (or when he is malicious and tries to ddos you, but rate limiting to the rescue!). However, I agree that solution 4 is more complicated than the others and you're better of with one of your other ideas. Solution 4 also has various security considerations you should take into account; storing this much authorization state on the client really needs your security to be watertight.
Best Answer
If you are looking for ideas about security for REST web services then look at the OpenAuth spec Appendices describing the "handshake".
http://oauth.net/core/1.0/#anchor27
Creating web services that adhere to OpenAuth standards is probably one of the more secure ways that this can be done. It can give you ideas on authentication, authorization strategies.
The following is an example taken from the Authorization header in a GET or POST:
I am not going to go into all the details of OpenAuth but essentially it allows a client to provide a consumer key that identifies the client, a token that identifies the user, and a signature that represents the Base64 encoded bytes of the encrypted signature to verify that the request has not been tampered or altered on transport.
Building the signature string typically involves the percent encoded combination of the entire request, parameters, as well as consumer key, token, nonce, and a consumer secret which the client should keep safe. Once this signature string has been built and percent encoded it can then by encrypted, and those encrypted bytes can be constructed into a Base64 encoded string that is included in the Authorization header.
If you perform this over SSL, then this is undoubtedly one of the most secure ways to handle authentication/authorization of a REST based web service.