What should I use as the "magic" or "secret" in my image URLs?
Facebook photographs are viewable by anyone in the world aware of the full asset URL. Each URL contains a profile ID, photo asset ID, requested size, and a magic hash to protect against brute-force access attempts. Something like:
/{profile-id}_{photo-id}_{magic}_{size}.jpg
For example:
http://profile.ak.fbcdn.net/hprofile-ak-snc4/hs443.snc4/50270_6831060656开发者_开发问答2_2720435_n.jpg
Flickr does something similar with their URLs. You can construct the source URL to a photo once you know its ID, server ID, farm ID and secret, as returned by many API methods.
The URL takes the following format:
http://farm{farm-id}.static.flickr.com/{server-id}/{id}_{secret}.jpg
What are Facebook and Flickr using for their "magic" or "secret" value? A randomly generated number? A hash of the image? A hash of the profile and the image? A sequence number? What should I use?
- The hash should not be a totally random number, or you will need to keep an association table linking every asset to such a number.
- The hash should not depend on actual bits of the photo, else you'll need to fetch the photo to recalculate the hash, and this may be a few megs.
- The hash should depend on information readily available at time of generation of any page: user ID, asset ID, maybe farm ID. It should be easily computable. But it should not be trivial to guess. It's almost a definition of a cryptographic hash.
So I'd combine available IDs into a long enough bit string and feed it to MD5 or SHA1, and used enough digits from the middle as the secret hash. Alternatively, I'd combine the IDs to create a e.g. 64-bit value, using shifts, addition, and xor, then use that value as a seed for a linear congruential random number generator with known parameters to produce the hash in several iterations.
精彩评论