Build a website: should I use a number or random unique string as ID in URLs?

Refresh

December 2018

Views

145 time

1

Hi I am building an Internet website with Java and Spring framework. I believe my question is not technology or framework related.

I need to have links in user interface so that visitors can click and to see records. These links have the format of

http://mysite.com?id=number-id-or-random-unique-string

Not all records are allowed to view. For the ID parameter in the URL, I could use the database-generated number as the ID value and so I do not need to have additional programming. Or I could use unique random string (for example: jcTDjhdDUls) as the ID value (I have to program this part). Numbers allow curious people (with good or bad intentions) to EASILY guess and try other IDs. Unique random strings seems better in this regard.

However, no matter numbers or strings as the value for the ID, I have security check in the backend code to see whether a visitor is allowed to see a record. From this perspective, I am not sure what is the real benefit of having random string as the ID.

I hope to have input from experienced people. What design decision do you choose? Or other better ideas?

Thanks and regards.

1 answers

4

You certainly can if you want to, but I would not go through the trouble to randomize the ID. This is at its root, "security through obscurity (STO)." Sometimes STO is useful, but in this case I don't think it is worth complicating and bloating the code and memory footprint. It's surprisingly easy to enumerate the valid IDs whether they're randomized or not, using a tool like Burp Suite. All the security controls that really matter should be implemented in the backend.