5

I'm developing an ASP .Net MVC application. One of my actions requires id as a parameter. For example:

public actionresult Detail(Guid id){
    return View();
}

As you can see, I'm using Guid instead of Int. The issue is more cosmetic. The url can be very long, such as localhost/Detail/0c157b42-379d-41d5-b9ba-83e9df9985b2.

Is it safe to take only parts of the Guid like localhost/Detail/0c157b42?

ire_and_curses
  • 68,372
  • 23
  • 116
  • 141
dritterweg
  • 401
  • 4
  • 15

6 Answers6

5

GUID is designed in such a way that it is intended to be unique, but any part of it is not. See this blog post for details. If you need to shorten the GUID take a good hash of it - like SHA-1 or (if you don't have security concerns) MD5.

sharptooth
  • 167,383
  • 100
  • 513
  • 979
  • Shortening? You mean, you take a 36 char long GUID (if the example in the question is valid), and __shorten__ it to 32 characters? (__if__ you use md5, which will result in 32 chars, and not SHA1, which will result in 48 chars) – pihentagy May 17 '10 at 16:15
  • 1
    @pihentagy: The point is that after hashing you can take part of the hash and it will be random enough, but you can't take a part of the GUID itself. – sharptooth May 18 '10 at 05:13
3

No, it's not safe.

You can calculate a SHA-2 hash of it though, and take the first few characters of that.

Noon Silk
  • 54,084
  • 6
  • 88
  • 105
2

No, you need the entire GUID since there is a possibility that a subset may not be unique.

For example:

0c157b42-379d-41d5-b9ba-83e9df9985b2

0c157b42-379d-41d5-b9ba-83e9df9985b3

Notice, only the last number is different. The beginnings are both the same. You can't use the trailing end of the GUID either since there's no way to predict what part of the GUID will change when its created.

Community
  • 1
  • 1
Soviut
  • 88,194
  • 49
  • 192
  • 260
0

Some other options to consider- * If there are more than one Details with GUIDs starting with 0c157b42, have the URL localhost/Detail/0c157b42 show a list of applicable Details objects. * URL aliasing - allow for a "Friendly URL" field on the Details object.

Spongeboy
  • 2,232
  • 3
  • 28
  • 37
0

You can clean the GUID of -s and convert the HEX to Base32 (A-Z,0-5) which will shorten it to 16 characters.

  • Guids are 128 bit integers. Base32 is 32 values per character, which is `2^5`, 5 bits. You'd need `128 / 5 = 25.6` characters to fully represent a guid. Base64 would be shorter with `128 / 6 = 21.3`. The fractional components are identified by paddings, so you'd need to bump those figures up a couple notches to compensate for that. – Travis Watson Aug 13 '13 at 14:17
-2

Bit of a late response but in case anyone reads this...

depending on the use, you can provided a shortened GUID value.

for instance, if the ID value is generated and given to the user as an Authentication Token sort of value then during the generation you could just take however many characters and compare it with other in use values. if any matches, then just generate a new one and re-compare until its unique.

This technique is also advisable if you trim a hash value of the GUID too.. just to be safe. In fact any time you randomly generate a value to be used as ID then you should make sure it is not 'already in use'

musefan
  • 1
  • I'd advise against doing the "check if is not already in use" yourself, due to the risk of race conditions. Doing this means you need to lock the database, in case another thread generates the same id at the same time. Much better to create a full GUID, or push the ID creation on the DB's responsiblity (e.g. auto-increment Int) – Spongeboy May 20 '12 at 11:00