Hide ID from URL

It depends what you mean by "hide" and why you'd want to

You can substitute it for something else (basically a slug), but that's more obfuscating than hiding

say you wanted to send someone a link to a document, and you wanted that the link you sent could not be used as the basis of looking at other people's documents then you would choose something like a uuid as it's virtually impossible to guess valid uuids

having said that, they are not very pretty

hashids are much shorter but less secure. These are used where you want to obfuscate the id so that, for instance, it's not obvious how many customers you have. However, you should always validate that the user has the rights to use a specific hashid

The other option is to use a regular id but put a hash in the url as a separate checkable value. This could be validated by middleware. No one is permitted to access random ids because they won't know the relevant hash that goes with that resource+id

Hashids!

https://github.com/ivanakimov/hashids.php

It's basically what Youtube etc do - i've got two or three projects where i've got HashIDs set up to obfuscate URLs in my application.

Essentially, i use eloquent's events to listen for a new model being created, then take the ID of it, convert that into a hashids string with a minimum length of say...6.

Then, you can use these in your URLs to lookup models as they'll be unique (because they're based off of the ID, which is unique).

And you can also override the Route Model Bindings to use the hashid to look for your model instead of the numeric ID so you can still use the route model binding goodness.

I'm tempted to do a quick screencast about this on my blog, i'll post back here if i get time to do it.

Couldn't do a screencast because the neighbors love to hoover at this time of morning for some reason.

Here's a blog post though!

http://blog.danmatthews.me/obfuscating-laravel-ids/

Hope this helps.

Dan.

nice tutorial @danmatthews but to reiterate my point, don't do this to protect resources as without a long hash length there is not enough entropy. Better with a randomised token or UUID in that case.

And to follow up, if someone is properly logged in, then putting another id in the url won't do any good. Any secure things should be accomplished with POST any way. I may have something like

tjhs/dog/edit?dogid=380

in the url, but that is an admin page the only person seeing it is the one person updating that record.

It all boils down to good security and who is allowed to do what.

Yeah, this isn't security, this is obscurity, but it's useful i find in a lot of situations.

As for entropy, i just ran a quick test with Hashids and made over 10 million hashes without it increasing the character count - so it's probably "good enough" for most use cases.