What should I use as the "magic" or "secret" in my image URLs?

Facebook photographs are viewable by anyone in the world aware of the full asset URL. Each URL contains a profile ID, photo asset ID, requested size, and a magic hash to protect against brute-force access attempts. Something like:

/{profile-id}_{photo-id}_{magic}_{size}.jpg

For example:

http://profile.ak.fbcdn.net/hprofile-ak-snc4/hs443.snc4/50270_6831060656开发者_开发问答2_2720435_n.jpg

Flickr does something similar with their URLs. You can construct the source URL to a photo once you know its ID, server ID, farm ID and secret, as returned by many API methods.

The URL takes the following format:

http://farm{farm-id}.static.flickr.com/{server-id}/{id}_{secret}.jpg

What are Facebook and Flickr using for their "magic" or "secret" value? A randomly generated number? A hash of the image? A hash of the profile and the image? A sequence number? What should I use?

• The hash should not be a totally random number, or you will need to keep an association table linking every asset to such a number.
• The hash should not depend on actual bits of the photo, else you'll need to fetch the photo to recalculate the hash, and this may be a few megs.
• The hash should depend on information readily available at time of generation of any page: user ID, asset ID, maybe farm ID. It should be easily computable. But it should not be trivial to guess. It's almost a definition of a cryptographic hash.

So I'd combine available IDs into a long enough bit string and feed it to MD5 or SHA1, and used enough digits from the middle as the secret hash. Alternatively, I'd combine the IDs to create a e.g. 64-bit value, using shifts, addition, and xor, then use that value as a seed for a linear congruential random number generator with known parameters to produce the hash in several iterations.