0

I'm trying to improve the responsiveness of an app. The user indicates they want to add a Song object to a Playlist. To do so, I create a new Song object, save it to my server to set its ID, then, when the server responds successfully, I add the Song object to the Playlist.

This has the side-effect of giving the user an awkward delay between their action and the app's response.

I am wondering if it is OK to generate the GUIDs for my entities client-side instead of passing an object with an empty GUID to NHibernate (which then sets it while working with my Sql Server DB.)

I would be using this method to generate a GUID:

'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
    var r = Math.random()*16|0, v = c == 'x' ? r : (r&0x3|0x8);
    return v.toString(16);
});

I am concerned about collisons, though. Should I be? Or are client-side and server-side generation of GUIDs mostly the same?

Community
  • 1
  • 1
Sean Anderson
  • 27,963
  • 30
  • 126
  • 237

2 Answers2

1

When generating IDs on the client side you cannot guarantee unique IDs, because client side javascript code can be modified by versed users (or the request sent to the server can be modified). So you should generate the GUID on the server side to be save.

micha
  • 47,774
  • 16
  • 73
  • 80
  • Couldn't an experienced user capture the GUIDs of two Songs, even if they have server-generated GUIDs, then replace one Song objects GUID with the other GUID and force a Save event to force a collison? It seems like collisions are still possible even with server-generated if we're considering malicious users. How do I guard against that? – Sean Anderson Dec 15 '12 at 21:44
  • Yes an user can do this but this shouldn't be a problem. You just have to make sure that you don't replace GUID values on the server side with values that are sent from the client. – micha Dec 15 '12 at 21:52
  • I ended up going with a composite key in the long run (oh dear) but I agreed with your responses the most so +1. Thank you :) – Sean Anderson Dec 16 '12 at 01:56
0

The method of generating GUID you mentioned is definitely not safe and would result in collisions sooner or later. You should definitely generate GUID on the server side.

Is there any reason for you to create new Song object?
Are you copying existing objects or creating brand new ones?
If it's a copy, you should consider linking the original to the playlist (you don't have to wait for the GUID then).

ritorujon
  • 61
  • 5
  • I'll give you the exact scenario. User has an empty playlist. User clicks 'Add Song.' I retrieve some data through an API and need to represent this data as a Song object in the playlist. If I generate a GUID client-side, I can add it immediately. Otherwise, I need to wait for the server to give the Song object an ID so it can be acted upon by the Playlist. My third option would be to generate a client ID, then save it to the server with no ID, then replace the client's ID with a server-generated ID once I know what the server gave me back, which seems like the best solution. – Sean Anderson Dec 15 '12 at 21:47