hide real Id on entity from end user.

views:

answers:

hide real Id on entity from end user.

I'm building e-commerce application. Path to the order looks like /Orders/Details/{orderId}. However I don't want expose orderId to the end-user. How can I identify order, not using database identifier? Is it necessary to generate some random unique string like GUID?

You could post a value to the order/details page, and send the orderID that way. You could also possibly have some other unique string for orders and use that instead, depending on how you are storing the data and why you want to hide the orderID.

GSto 2010-09-03 18:31:25

+1 A:

You would need to assign some other identifier to the entity that you didn't mind users seeing (some kind of alternate key).

Alternatively you could use encrypted or obfuscated IDs, and have your application handle decryption or de-obfuscation.

Cocowalla 2010-09-03 18:32:34

if userId and orderDate uniquely identifies order, would it be safe to use (userId.asString() + orderDate.asString()).hashCode()?

kilonet 2010-09-03 18:43:05

No - hashcode cannot guarentee to produce unique values

Cocowalla 2010-09-03 18:52:00

You are on the right track - using a integer as the orderid can lead to forceful browsing attack. May be you can use a GUID as the primary key in your database.

OpenSource 2010-09-03 18:33:40

it can be a problem to use GUID in url

kilonet 2010-09-03 18:40:21

It's important to note that you should not rely *solely* on such 'obfuscation'; you should still ensure that unauthorised users cannot do anything nefarious just by knowing the ID of an entity.

Cocowalla 2010-09-03 18:41:08

ansaurus

tags:

views:

answers:

hide real Id on entity from end user.

related questions