I've read some things about hashing the user's ID (DB Primary Key) and keeping it a secret, but I can't really see why.
I'm creating a REST API with which you can retrieve resources from a certain user. Depending on the logged in user, he/she will receive public resources and, if authorized, private resources.
Is it bad to do something like this:
.../resources?user_id=17
Thanks
If you set the right permissions and disallow other users from abusing that ID, then it doesn't matter whether the ID is public or private.
You could of course use a separate ID to publicly represent the user, and use the private ID for permissions.
Well, the user will have to be identified by some id. Even if the public ID you're exposing is a hashed version of the actual id or some other random number... then that will be its public id. It doesn't really help you much at all.
There's only one argument for randomising the id: if you do not want people to simply scrape your content by incrementing a counter. Randomising the id makes it just a little bit harder to do so. Other than that: ask yourself what somebody can do knowing the id. Hopefully nothing, because your application is secure otherwise.
