Say, I have a table Users with the id being an integer. Each user somehow is aware of their id somehow, for example, in an url to their profile the id is included. Or it's exposed to them by some other way, doesn't way. How wise is it not to expose it to them? Could it vulnerable for me as a website owner to allow my users to know their own and thus the other users id? Or should I instead create either guid as the primary key, or add one more column called "long_id" and expose only it because it'll be difficult for them to guess it?
-
Related: [Should I obscure database primary keys (IDs) in application front end?](https://security.stackexchange.com/questions/56357/) – sleske Aug 25 '22 at 11:42
2 Answers
It really depends on what you can do with that knowledge, Ask yourself the following questons:
- As a user of the site do I need to know my ID to use it?
- If a user knows their own ID what does that really mean?
- If a user knows someone elses ID, what knowledge or access does that grant them?
Finally if the ID is used within a URL that displays someones details, does changing that ID and display someone elses details? If so then that's an access control issue, not necessarily an issue with knowing the ID.
Regardless of knowing IDs as an attacker I would be interested in getting as low and ID as possible, either 1 or 0, as those tend to be the Admin user within the application.
- 1,880
- 11
- 19
Usually yes it is. You should never have the need to pass userid via query string.
You should use cookie submitted by the user, then lookup the cookie in your database to retrieve userid.
When passing userid via query string, you might create vulnerabilities like allowing to change query string manually and circumvent authorization of users by allowing to make changes to accounts different than user own account.
- 2,706
- 11
- 19
-
`You should never have the need to pass userid via query string` - why? – Incerteza Nov 22 '16 at 11:14
-
I think you mean that you shouldn't put blind trust in input the user sends you. Whether it comes from a query string, the url or a cookie isn't important. – Out of Band Nov 22 '16 at 13:17