spring - Build a website: should I use a number or random unique string as ID in URLs? -
hi building internet website java , spring framework. believe question not technology or framework related.
i need have links in user interface visitors can click , see records. these links have format of
http://mysite.com?id=number-id-or-random-unique-string
not records allowed view. id parameter in url, use database-generated number id value , not need have additional programming. or use unique random string (for example: jctdjhdduls) id value (i have program part). numbers allow curious people (with or bad intentions) guess , try other ids. unique random strings seems better in regard.
however, no matter numbers or strings value id, have security check in backend code see whether visitor allowed see record. perspective, not sure real benefit of having random string id.
i hope have input experienced people. design decision choose? or other better ideas?
thanks , regards.
you can if want to, not go through trouble randomize id. @ root, "security through obscurity (sto)." sto useful, in case don't think worth complicating , bloating code , memory footprint. it's surprisingly easy enumerate valid ids whether they're randomized or not, using tool burp suite. security controls matter should implemented in backend.
Comments
Post a Comment