Streaming the images through an ASPX page is a good solution. Though Referrer could be hacked.

What you could do is use a unique salt (keyword) and generate against MD5 (SHA-1 or SHA-2) if you are really concerned with security. Run the current epoch time as well against this as well, this puts an expiry on images as well. Store this "keycode" in the cookies. Whenever images are served you basically pass this via the querystring. The validation happens on the ASPX on the other end. You could even regenerate a new "keycode" between each request using either an HTTPRequestModule or the Global.asax page.

There will be overhead, but it will prevent anyone from hotlinking.

You could refuse any requests for images that don't have your site in the HTTP referer header field. That's the theory. In order to control requests in your application, you'd have to stream all images through an ASP page (as opposed to linking to them directly).

One thing I've seen that I thought was clever is to add an extra portion to the bottom of the image, and then use a css sprite technique to cut it off when shown on your site. A naive hotlink will result in displaying your extra portion. This will mean the image is skewed, so it doesn't look right on the other site, and you can use the extra portion to show your own url or whatever else you want.

Simplest way to do this is with a UrlRewrite in IIS 7.0.

https://help.maximumasp.com/KB/a738/using-url-rewrite-to-prevent-image-hotlinking.aspx

<configuration>
<system.webServer>
    <rewrite>
        <rules>
            <rule name="PreventImageHotlinking" enabled="true" stopProcessing="true">


<match url=".*\.(gif|jpg|png)$" />
  <conditions>
                        <add input="{HTTP_REFERER}" negate="true" pattern="^$" />
                        <add input="{HTTP_REFERER}" negate="true" pattern="http://www.YourDomain.com/.*" />
  </conditions>
  <action type="Rewrite" url="/images/hotlinking.jpg" />
</rule>
            </rules>
        </rewrite>
    </system.webServer>