Jackdaw's Nest

Obfuscating Id's

October 29, 2015

What?

If you're using plain integer id's for your records, obfuscating the id's from the general public might be a good idea. You can use UUID's but that's not always possible, for instance, if you're working on a legacy project and don't want to fiddle with the database (yet).

Obfuscating id's can get handy. Basically, what it means is you can turn id's into random strings and back. For instance, you can turn 243242 to cds7rk23 and turn cds7rk23 back to 243242. There are libraries that handle this, like Tiny for php by Zack Kitzmiller.

Why?

Why would you want to do this? Well, if you have URL's like http://myapp.com/api/user/1245 it's pretty easy to guess that there probably are users with id's 1-1245. And if this is a public API, it's even more improtant. If you can guess all the data endpoints it's possible that someone is able to pull out all the data through your API. That could be your goal but in many cases it's probably not.

If you use obfuscating the url could look something like http://myapp.com/api/user/7Hc6dl3 which is a lot more difficult to guess. And it makes it close to impossible to try to guess all the other id's available.