There’s a couple ways you can achieve it.

1. The first is link to a script or action that authenticates the request, and then returns an image. You can find an example with ASP.NET MVC here. The downside is it’s pretty inefficient, and you run the risk of twice the bandwidth for each request (once so your server can grab the image from wherever it’s stored, and once to serve it to your users).

2. The second option, you can do like Facebook and just generate obscure url’s for each photo. As Thomas said in his comment, you’re not going to guess a 27 digit number.

3. The third option I think is the best, especially if you’re using something like Microsoft Azure or Amazon S3. Azure Blob Storage supports Shared Access Signatures, which let’s you generate temporary url’s for private files. These can be set to expire in a few minutes, or last a lifetime. The files are served directly to the user, and there’s no risk if the url leaks after the expiration period.

   Amazon S3 has something similar with Query String Authentication.

Ultimately, you need to figure out your threat model, and make a decision weighing the pros and cons of each approach. On Facebook, these are images that have presumably been shared with hundreds of friends. There’s a significantly lower expectation of privacy, and so maybe authenticating every request is overkill. A random, hard to guess URL is probably sufficient, and let’s them serve data through their CDN, and minimizes the amount of processing per request. With Option 3, you’re still going to have overhead of generating those signed URL’s.