Showing your "naked" ID in URLS = unsecure?

There are a few reasons not to use IDs in the URL.

Here's an interesting article about it

Thanks for the link @Ruffles - if this really is best practice then I am wondering why does Laravel not have ID obfuscating built-in? Why have I watched @JeffreyWay tutorials for hours now any never heard of it?

Andreas

Jeffrey can't cover every possible detail or tip there is for web development but you can make a list of all those small details and just use them in your every day work. I believe that he mentioned something in the URLs video from 2 weeks ago.

There's a lot of things you can learn from everywhere even if you think you already know it.

@andreasb Actually... he did do a video about it, and only a few weeks ago. https://laracasts.com/lessons/unique-slugs-in-laravel

It all depends on the issue. You don't always need to hide them.

Security is always relative. In theory each step to secure something has trade offs. Generally loss in performance and/or increase in complexity. You have to out way the pros and cons for each step or layer. When the rubber meets the road though you have to understand that as a developer it's your legal responsibility to ensure data is secure. For example passwords; proven fact most people only use a couple of different ones for everything so any app must at least hash the password.

Other aspects like passing ids, even hidden form inputs which aren't really hidden, once you get used to not using them and using a random unique string or integer it becomes second nature and in this case, maybe 4 lines of code with only a very slight performance hit (> 1ms) and minimal added complexity.

@andreasb I use Optimus for obfuscating the ids, I don't like my users to know what number they are...

Sometimes numbers matter: Marge: Homer, a man who called himself "you-know-who" just invited you to a secret "wink-wink" at the "you-know-what". You certainly are popular now that you're a Stonecutter. Homer: Oh, yeah. Beer busts, beer blasts, keggers, stein hoists, AA meetings, beer night. It's wonderful, Marge. I've never felt so accepted in all my life. These people looked deep within my soul and assigned me a number based on the order in which I joined.

More seiously, there are a few good libraries to create universally unique ids for users or anything really. I dig this as referenced in the article @Ruffles posted. For my own project where I don't care about reversing and just need a unique id, I use bin2hex(openssl_random_pseudo_bytes(16) which would generate a 32 character hexadecimal represenation of the 16 bytes produced from the PRNG. I was inspired to go that route by the answer on this topic: http://security.stackexchange.com/questions/40310/generating-an-unguesable-token-for-confirmation-e-mails

I use it for that purpose as well as for some non-user items that are exposed to authenticated users which could theoretically be programmatically traversed if they weren't obfuscated.

Edit: @cloudstudio just posted a link to coderabbi's 50 Laravel Tricks in 50 minutes. #10 shouws how to generate and use a UUID for a model's primary key.

Well and by the way if you plan to use hashids then you can combine the readme and this post https://laracasts.com/discuss/channels/general-discussion/routebind-to-decode-hashid and you are done within minutes - great work and thanks at @xsmall for the great post!

Whaha :D thanks @andreasb