Pros and cons of using DB id in the URL?

Question

For example: http://stackoverflow.com/questions/396164/exposing-database-ids-security-risk and http://stackoverflow.com/questions/396164/blah-blah loads the same question.

(I guess this is DB id of Questions table? Is this standard in ASP.NET?)

What are the pros and cons of using this type of scheme in your web app?

Answer 1

Well, for one, simple id's are usually sequential, so it's quite easy to guess at and retrieve other data from your application.

http://stackoverflow.com/questions/395857/doesnt-matter-what-I-type-here http://stackoverflow.com/questions/395858/doesnt-matter-what-I-type-here

Now, having said that, that might also be seen as a bonus, because nobody in their right mind would make their whole security hinge on the fact that you have to clink on a link to get to your secure data, and thus easy discoverability of the data might be good.

However, one point is that you're at some point going to reindex your database, having something that makes the old url's invalid would be bad, if for no other reason that search engines would still have old links.

Also, here on SO it's quite normal to use links like this to other questions, so if they at some point want to reindex and thus renumber things (or move to guid's), they will still have to keep the old structure and id's.

Now, is this likely to ever happen or be needed? Probably no.

I wouldn't worry too much about it, just build your security as though every entrypoint to your application is known and there should be no problems.

Answer 2

But remember in a community like this there is a higher (although still minimal) chance of the same question name being posted at the same time, which would break things, thus some kind of unique identification need be applied, ID's are probably quite logical in the context that this particular web application was developed in.

Answer 3

1. The database ID is used to lookup the question in the database. It's numerical which means: fast. If you would leave it out you had to lookup the title which is a lot slower.

2. The question itself is part of the url to make it "search engine friendly". It'll be higher ranked by g**gle etc.

Answer 4

Pro:

• Super easy to retrieve the page information. Take the ID, call the database, viola. Your table will (should) be indexed to make this lookup super fast.
• Guaranteed unique URL.

Con:

• IDs in your system are being publicly displayed. Not a problem in a publicly available system like SO. However, proper security measures on the back end can make this not a problem even on sensitive systems.
• Ugly URLs. 6+ digit numbers are just hard to remember, and makes it more difficult to distinguish pages, if the number is all that identifies it. This can also has SEO consequences, as URLs with more relevant and well structured information are generally ranked better. SO compensates by providing the post name in the URL as well. While I still can't rattle off a particular post to my buddy at lunch, I can still find it easier in the browser history.
• Slower lookups. Doing text searches on a database is generally slower.

Answer 5

I dont think it's bad practice, and fairly common, to do it in ASP.NET and other frameworks. As @lassevk said, if your security depends on it, then you need some more checks in there (can user X get to record Y), but it more comes down to the SEO-friendlyness of the URLs for public sites.

For example, SO's URLs are fairly friendly:

http://stackoverflow.com/questions/407120/pros-and-cons-of-using-db-id-in-the-url

google rates information at the START of the URL higher than at the end, so having it look like:

http://stackoverflow.com/pros-and-cons-of-using-db-id-in-the-url/q/407120

should get a higher ranking for "pros and cons of using db id in the url". It's not the only factor, but it is quite a major one - look at Amazon's format, they do it for a very good reason:

http://www.amazon.com/Maverick-Ricardo-Semler/dp/0712678867

http://server/book-name/dp/book-id

Wordpress does it like this:

http://server/yyyy/mm/dd/name-of-the-post

however, if you post two posts on the same day called "foo", you get:

http://server/yyyy/mm/dd/foo

http://server/yyyy/mm/dd/foo2

the slug (foo/foo2) isn't a PK, but it IS maintained as unique over the posts table.

I think putting the ID in the URL isn't a problem, unless your URL is a GUID! Way too long, and hard to type. If it's an int, or some kind of short guid (eg 6-8 chars), then it shouldn't be a problem.