diff --git a/core/ormdocument.class.inc.php b/core/ormdocument.class.inc.php
index 8db9782cb..60897a50b 100644
--- a/core/ormdocument.class.inc.php
+++ b/core/ormdocument.class.inc.php
@@ -149,7 +149,7 @@ class ormDocument
 	 */
 	public function GetDisplayURL($sClass, $Id, $sAttCode)
 	{
-		$sSignature = md5($this->GetData());
+		$sSignature = $this->GetSignature();
 		// TODO: When refactoring this with the URLMaker system, mind to also change calls in the portal (look for the "p_object_document_display" route)
 		return utils::GetAbsoluteUrlAppRoot() . "pages/ajax.render.php?operation=display_document&class=$sClass&id=$Id&field=$sAttCode&s=$sSignature&cache=86400";
 	}
@@ -161,7 +161,7 @@ class ormDocument
 	public function GetDownloadURL($sClass, $Id, $sAttCode)
 	{
 		// Compute a signature to reset the cache anytime the data changes (this is acceptable if used only with icon files)
-		$sSignature = md5($this->GetData());
+		$sSignature = $this->GetSignature();
 		// TODO: When refactoring this with the URLMaker system, mind to also change calls in the portal (look for the "p_object_document_display" route)
 		return utils::GetAbsoluteUrlAppRoot() . "pages/ajax.document.php?operation=download_document&class=$sClass&id=$Id&field=$sAttCode&s=$sSignature&cache=86400";
 	}
@@ -221,4 +221,12 @@ class ormDocument
 			$oPage->p($e->getMessage());
 		}
 	}
+
+	/**
+	 * @return string
+	 */
+	public function GetSignature(): string
+	{
+		return md5($this->GetData());
+	}
 }
diff --git a/core/userrights.class.inc.php b/core/userrights.class.inc.php
index a1b708d22..ec702bde5 100644
--- a/core/userrights.class.inc.php
+++ b/core/userrights.class.inc.php
@@ -1159,7 +1159,8 @@ class UserRights
 				else
 				{
 					if (ContextTag::Check(ContextTag::TAG_PORTAL)) {
-						$sPictureUrl = utils::GetAbsoluteUrlAppRoot().'pages/exec.php/object/document/display/'.$sContactClass.'/'.$oContact->GetKey().'/'.static::DEFAULT_CONTACT_PICTURE_ATTCODE.'?exec_module=itop-portal-base&exec_page=index.php&portal_id='.PORTAL_ID;
+						$sSignature = $oPicture->GetSignature();
+						$sPictureUrl = utils::GetAbsoluteUrlAppRoot().'pages/exec.php/object/document/display/'.$sContactClass.'/'.$oContact->GetKey().'/'.static::DEFAULT_CONTACT_PICTURE_ATTCODE.'?cache=86400&s='.$sSignature.'&exec_module=itop-portal-base&exec_page=index.php&portal_id='.PORTAL_ID;
 					}
 					else {
 						$sPictureUrl = $oPicture->GetDisplayURL($sContactClass, $oContact->GetKey(), static::DEFAULT_CONTACT_PICTURE_ATTCODE);
diff --git a/datamodels/2.x/itop-portal-base/portal/src/Controller/ManageBrickController.php b/datamodels/2.x/itop-portal-base/portal/src/Controller/ManageBrickController.php
index 9ca1f9bd7..da09aa9a2 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/Controller/ManageBrickController.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/ManageBrickController.php
@@ -691,15 +691,17 @@ class ManageBrickController extends BrickController
 						}
 						elseif ($oAttDef instanceof AttributeImage)
 						{
+							/** @var \ormDocument $oOrmDoc */
 							$oOrmDoc = $oCurrentRow->Get($sItemAttr);
 							if (is_object($oOrmDoc) && !$oOrmDoc->IsEmpty())
 							{
-								$sUrl = $oUrlGenerator->generate('p_object_document_display', array(
+								$sUrl = $oUrlGenerator->generate('p_object_document_display', [
 									'sObjectClass' => get_class($oCurrentRow),
 									'sObjectId' => $oCurrentRow->GetKey(),
 									'sObjectField' => $sItemAttr,
 									'cache' => 86400,
-								));
+									's' => $oOrmDoc->GetSignature(),
+								]);
 							}
 							else
 							{
diff --git a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
index a2047c4c3..443ade031 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
@@ -1322,15 +1322,17 @@ class ObjectController extends BrickController
 			}
 			elseif ($oAttDef instanceof AttributeImage)
 			{
+				/** @var \ormDocument $oOrmDoc */
 				$oOrmDoc = $oObject->Get($oAttDef->GetCode());
 				if (is_object($oOrmDoc) && !$oOrmDoc->IsEmpty())
 				{
-					$sUrl = $oUrlGenerator->generate('p_object_document_display', array(
+					$sUrl = $oUrlGenerator->generate('p_object_document_display', [
 						'sObjectClass' => get_class($oObject),
 						'sObjectId' => $oObject->GetKey(),
 						'sObjectField' => $oAttDef->GetCode(),
 						'cache' => 86400,
-					));
+						's' => $oOrmDoc->GetSignature(),
+					]);
 				}
 				else
 				{
diff --git a/datamodels/2.x/itop-portal-base/portal/src/Controller/UserProfileBrickController.php b/datamodels/2.x/itop-portal-base/portal/src/Controller/UserProfileBrickController.php
index 5118c492a..9659796d3 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/Controller/UserProfileBrickController.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/UserProfileBrickController.php
@@ -373,8 +373,14 @@ class UserProfileBrickController extends BrickController
 					$aFormData['error'] = $e->GetMessage();
 				}
 
-				// TODO: This should be changed when refactoring the ormDocument GetDisplayUrl() and GetDownloadUrl() in iTop 3.0
-				$aFormData['picture_url'] = $oUrlGenerator->generate('p_object_document_display', array('sObjectClass' => get_class($oCurContact), 'sObjectId' => $oCurContact->GetKey(), 'sObjectField' => $sPictureAttCode, 'cache' => 86400, 't' => time()));
+				$oOrmDoc = $oCurContact->Get($sPictureAttCode);
+				$aFormData['picture_url'] = $oUrlGenerator->generate('p_object_document_display', [
+					'sObjectClass' => get_class($oCurContact),
+					'sObjectId' => $oCurContact->GetKey(),
+					'sObjectField' => $sPictureAttCode,
+					'cache' => 86400,
+					's' => $oOrmDoc->GetSignature(),
+					]);
 				$aFormData['validation'] = array(
 					'valid' => true,
 					'messages' => array(),
diff --git a/datamodels/2.x/itop-portal-base/portal/src/Form/ObjectFormManager.php b/datamodels/2.x/itop-portal-base/portal/src/Form/ObjectFormManager.php
index 11c9f3995..b7df3bbd2 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/Form/ObjectFormManager.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Form/ObjectFormManager.php
@@ -908,8 +908,21 @@ class ObjectFormManager extends FormManager
 					if ($this->oContainer !== null)
 					{
 						// Override hardcoded URLs in ormDocument pointing to back office console
-						$sDisplayUrl = $this->oContainer->get('url_generator')->generate('p_object_document_display', array('sObjectClass' => get_class($this->oObject), 'sObjectId' => $this->oObject->GetKey(), 'sObjectField' => $sAttCode, 'cache' => 86400));
-						$sDownloadUrl = $this->oContainer->get('url_generator')->generate('p_object_document_download', array('sObjectClass' => get_class($this->oObject), 'sObjectId' => $this->oObject->GetKey(), 'sObjectField' => $sAttCode, 'cache' => 86400));
+						$oOrmDoc = $this->oObject->Get($sAttCode);
+						$sDisplayUrl = $this->oContainer->get('url_generator')->generate('p_object_document_display', [
+							'sObjectClass' => get_class($this->oObject),
+							'sObjectId' => $this->oObject->GetKey(),
+							'sObjectField' => $sAttCode,
+							'cache' => 86400,
+							's' => $oOrmDoc->GetSignature(),
+							]);
+						$sDownloadUrl = $this->oContainer->get('url_generator')->generate('p_object_document_download', [
+							'sObjectClass' => get_class($this->oObject),
+							'sObjectId' => $this->oObject->GetKey(),
+							'sObjectField' => $sAttCode,
+							'cache' => 86400,
+							's' => $oOrmDoc->GetSignature(),
+						]);
 						/** @var \Combodo\iTop\Form\Field\BlobField $oField */
 						$oField->SetDisplayUrl($sDisplayUrl)
 							->SetDownloadUrl($sDownloadUrl);
diff --git a/datamodels/2.x/itop-portal-base/portal/src/Helper/BrowseBrickHelper.php b/datamodels/2.x/itop-portal-base/portal/src/Helper/BrowseBrickHelper.php
index 8c9ca8893..6d1864875 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/Helper/BrowseBrickHelper.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Helper/BrowseBrickHelper.php
@@ -360,12 +360,14 @@ class BrowseBrickHelper
 						{
 							if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
 							{
-								$tmpAttValue = $this->oUrlGenerator->generate('p_object_document_display', array(
+								$oOrmDoc = $tmpAttValue;
+								$tmpAttValue = $this->oUrlGenerator->generate('p_object_document_display', [
 									'sObjectClass' => $sCurrentObjectClass,
 									'sObjectId' => $sCurrentObjectId,
 									'sObjectField' => $aLevelsProperties[$key][$sOptionalAttribute],
 									'cache' => 86400,
-								));
+									's' => $oOrmDoc->GetSignature(),
+								]);
 							}
 							else
 							{
@@ -410,12 +412,13 @@ class BrowseBrickHelper
 							$oOrmDoc = $value->Get($aField['code']);
 							if (is_object($oOrmDoc) && !$oOrmDoc->IsEmpty())
 							{
-								$sUrl = $this->oUrlGenerator->generate('p_object_document_display', array(
+								$sUrl = $this->oUrlGenerator->generate('p_object_document_display', [
 									'sObjectClass' => $sCurrentObjectClass,
 									'sObjectId' => $sCurrentObjectId,
 									'sObjectField' => $aField['code'],
 									'cache' => 86400,
-								));
+									's' => $oOrmDoc->GetSignature(),
+								]);
 							}
 							else
 							{
@@ -530,12 +533,14 @@ class BrowseBrickHelper
 						{
 							if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
 							{
-								$tmpAttValue = $this->oUrlGenerator->generate('p_object_document_display', array(
+								$oOrmDoc = $tmpAttValue;
+								$tmpAttValue = $this->oUrlGenerator->generate('p_object_document_display', [
 									'sObjectClass' => get_class($aCurrentRowValues[0]),
 									'sObjectId' => $aCurrentRowValues[0]->GetKey(),
 									'sObjectField' => $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute],
 									'cache' => 86400,
-								));
+									's' => $oOrmDoc->GetSignature(),
+								]);
 							}
 							else
 							{
diff --git a/datamodels/2.x/itop-portal-base/portal/src/VariableAccessor/CombodoCurrentContactPhotoUrl.php b/datamodels/2.x/itop-portal-base/portal/src/VariableAccessor/CombodoCurrentContactPhotoUrl.php
index a23f6e6ab..dcec2ef37 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/VariableAccessor/CombodoCurrentContactPhotoUrl.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/VariableAccessor/CombodoCurrentContactPhotoUrl.php
@@ -112,7 +112,13 @@ class CombodoCurrentContactPhotoUrl
 				if (is_object($oImage) && !$oImage->IsEmpty())
 				{
 					// TODO: This should be changed when refactoring the ormDocument GetDisplayUrl() and GetDownloadUrl() in iTop 3.0
-					$sContactPhotoUrl = $this->oContainer->get('url_generator')->generate('p_object_document_display', array('sObjectClass' => get_class($oContact), 'sObjectId' => $oContact->GetKey(), 'sObjectField' => $sPictureAttCode, 'cache' => 86400));
+					$sContactPhotoUrl = $this->oContainer->get('url_generator')->generate('p_object_document_display', [
+						'sObjectClass' => get_class($oContact),
+						'sObjectId' => $oContact->GetKey(),
+						'sObjectField' => $sPictureAttCode,
+						'cache' => 86400,
+						's' => $oImage->GetSignature(),
+						]);
 				}
 				else
 				{