-3

I need to use something like short guid in url instead of ID.

So, short guid must be 8 characters length and contain only numbers and lower-case alphabet symbols.

I want to add some "security" in urls.

I know it wont't protect from hackers but I don't want to use IDs because user can look at info for every ID.

With short guid it will be more difficult to choose identifier to particular entity.

For example, I'm going to share link to document that contains some private data of user. And I don't want it "example.com/document/id"

What ways to do that?

A. Gladkiy
  • 3,134
  • 5
  • 38
  • 82
  • I just want to replace ID in url to end user can't choose identifier to any item. – A. Gladkiy May 06 '19 at 16:31
  • You've asked a number of different questions in this question. To determine the answer to "how many duplicates will I catch?" you can answer the question in practice by implementing it and then counting duplicates, or theoretically by computing the number of bits of entropy in your identifier and dividing by two to get the log of the approximate separation between collisions. – Eric Lippert May 06 '19 at 18:47
  • Your question is very unclear; please edit it to explain **why** you “need to use something like short guid in url instead of ID”. What's wrong with using a long ID or the user “choose identifier to any item”? – Dour High Arch May 07 '19 at 12:38
  • @DourHighArch updated question – A. Gladkiy May 08 '19 at 05:51

1 Answers1

1

It's really important to ask about your actual problem, not about the solution you've decided to use.

I just want to replace ID in url to end user can't choose identifier to any item.

Putting magic codes in your URL will never prevent end users from choosing them, no matter how long the magic code is, because URLs are public, not private. URLs get stored in your browser cache, bookmarks, URL shorteners, get copied to emails, get shoulder-surfed by other people. Thinking URLs are private is called an Insecure direct object reference and is one of the top 10 web exploits.

The way to prevent end users from getting access to data they shouldn't is by authenticating every request. Include a unique nonce, cookie, or form token on every single request and check it on every single reply. How to do this depends on the technology you are using, which you haven't told us, but most web technologies include a way to do this. For example, ASP.NET MVC supplies an AntiForgeryToken that will create unique tokens and detect if they have been forged or recorded.

Dour High Arch
  • 21,513
  • 29
  • 75
  • 90
  • Why then YouTube or url shorteners etc. use random string in url? – A. Gladkiy May 07 '19 at 07:12
  • Because the random string is shorter, not because they “can't choose”. Shorteners are not intended to be private; they **want** people to share and remember them. – Dour High Arch May 07 '19 at 12:35