Is it advisable to hash ids in url?

I'm not sure what the proper terms are or if it's even called hashing but is it advisable to do something like /user/gPUasb or /user/gPUasb/edit? to perhaps prevent users from guessing ids and manually going to each user's profile and maybe spam them or worse collect data from them? I'm just curious because I've never seen big sites with urls that point to user profiles with something as simple as user/1 or user/1/edit

Sergiu17

7 years ago

Level 60

Let me try to explain a bit. Let's say you have 2 user with id 1 and 2, next you have your edit user profile function

class UsersController extends Controller
{
    public function __construct()
    {
        $this->middleware('auth');
    }

    public function edit($id)
    {
        // this condition you need to add.
        if(auth()->user()->id != $id)
        {
            return abort(403, 'Unauthorized action.');
        }

        $user = User::findOrFail($id);
        
        return view('users.edit', compact('user'));
    }
}

Now when user with ID 1 will access site.com/users/1/edit he will be able to edit, but when he will access site.com/users/2/edit he will get 403, Unauthorized action, and you don't need anymore slugs, hashed and so one. Other alternatives are middlewares or policies

Snapey

7 years ago

Best Answer

Level 122

some arguments why id's are not a good idea https://philsturgeon.uk/http/2015/09/03/auto-incrementing-to-destruction/

1 like

p0t4t0

7 years ago

Level 3

@Sergiu17 I am aware of validation checks and middleware and wasn't the point of my post but thanks for trying, @Snapey thanks this is exactly what I was looking for

aurawindsurfing

7 years ago

Level 50

Eh never easy, right?

Please or to participate in this conversation.