ASP.NET Core: how to hide database ids?

asp.net-core azure-sql-database database entity-framework-core sql-server

Question

Maybe this has been asked a lot, but I can't find a comprehensive post about it.

Q: What are the options when you don't want to pass the ids from database to the frontend? You don't want the user to be able to see how many records are in your database.

What I found/heard so far:

  1. Encrypt and decrypt the Id on backend
  2. Use a GUID instead of a numeric auto-incremented Id as PK
  3. Use a GUID together with an auto-incremented Id as PK

Q: Do you know any other or do you have experience with any of these? What are the performance and technical issues? Please provide documentation and blog posts on this topic if you know any.

1
0
10/29/2019 1:49:48 PM

Fastest Entity Framework Extensions

Bulk Insert
Bulk Delete
Bulk Update
Bulk Merge

Accepted Answer

Two things:

  1. The sheer existence of an id doesn't tell you anything about how many records are in a database. Even if the id is something like 10, that doesn't mean there's only 10 records; it's just likely the tenth that was created.

  2. Exposing ids has nothing to do with security, one way or another. Ids only have a meaning in the context of the database table they reside in. Therefore, in order to discern anything based on an id, the user would have to have access directly to your database. If that's the case, you've got far more issues than whether or not you exposed an id.

    If users shouldn't be able to access certain ids, such as perhaps an edit page, where an id is passed as part of the URL, then you control that via row-level access policies, not by obfuscating or attempting to hide the id. Security by obscurity is not security.

That said, if you're just totally against the idea of sequential ids, then use GUIDs. There is no performance impact to using GUIDs. It's still a clustered index, just as any other primary key. They take up more space than something like an int, obviously, but we're talking a difference of 12 bytes per id - hardly anything to worry about with today's storage.

5
10/29/2019 5:15:28 PM

Related Questions

Separation of concerns and n-tiered architecture in ASP.NET 5/ASP.NET Core 1

I'm struggling to find a graceful way to keep my DAL layer separate to my MVC/UI layer in ASP.NET 5 thanks to the new built in Dependency Injection which I want to use....For example I have an ASP.NET 5 project, a Business Layer project and a Data Access Project where I have various Entity Framework code such as entities and contexts. in ASP.NET 5 ...
asp.net asp.net-core asp.net-core-mvc dependency-injection entity-framework-core
asked by BenM

Creating a database with ASP.NET Core RC 2 and Entity Framework core

This is a very broad and general question. Please advise....I have tried starting an ASP.NET core project but have failed when it came to generating the database....I could not get anything to work. I have lost my code while reinstalling studio....Would some one be so kind to instruct and provide a working example of the context and startup classes...
asp.net-core entity-framework-core
asked by Greenmachine

Entity framework Core with Identity and ASP.NET Core RC2 not creating user in database

I am working on an application with authentication. I am using the following frameworks:...ASP.NET Core RC2...Entity Framework Core...The Npgsql EFCore driver...For seeding I created a ...DataSeeder... class, that gets added as Transient Service in the ...ConfigureServices... function and later called in the Configure function. It checks whether a...
asp.net-core entity-framework-core
asked by larzz11

Asp.net Core Get User by User Id

You can get the current user one of this ways:...// Get the current user ID from the user claims (no DB hit) int currentUserId = int.Parse(User.FindFirst(Claims.UserId).Value); ...And then retrieve the current user entity: ...// Either via DB context: var currentUser = _context.Users.FirstOrDefault(u => u.Id == currentUserId); // or via Userma...
asp.net-core asp.net-core-identity entity-framework-core
asked by Dmitry Pavlov

asp.net core/EF-Core mysql update database error

I am absolutely new to asp.net core development. I am trying to create a simple asp.net core web api with a single model and mysql to store the model data and then I would want to retrieve it as REST API perhaps using Swagger....My current set up looks like following: ...Books.cs:...using Microsoft.EntityFrameworkCore; using MySQL.Data.EntityFramew...
asp.net-core asp.net-core-mvc entity-framework-core
asked by Thinker

Inserting into two tables using a view model in asp.net core/ issue with database connection

What is the best way to insert into two tables at once? I am having an issue with the connection string. Below are my data models as well as my view model. I am using the code first approach with asp.net core.... public ActionResult Create(BuildPackagingViewModel viewModel) { var build = new Build() { BuildStep ...
asp.net-core asp.net-mvc c# entity-framework-core
asked by Alex Zimmerman

Binding Hidden fields in asp.net core mvc

I am writting an application with asp.net core 2.0 mvc....Here is one of my controller's action:... [HttpPost] public async Task<IActionResult> MyAction(long id, [Bind("id_person,name")] Person p) { ViewBag.message = ""; if (p.name == "") { ViewBag.message = "You need to set name."; } e...
asp.net-core-mvc c# entity-framework-core
asked by Bob5421

how to setup EFcore database first in separate class library in ASP.NET Core MVC application?

@ibrahimozgon's answer is right and helped me. However, I encountered a few errors in the DbContext class on the way which he didn't mention how to solve:...'EntityTypeBuilder' does not contain a definition for 'ToTable' and no accessible extension method 'ToTable' accepting a first argument of type 'EntityTypeBuilder' could be found (are you missi...
asp.net-core entity-framework-core
asked by Shepherd

Database Schema not changing at Runtime in Asp.net Core 2.2 & Entity Framework Core

I was able to change schema at runtime by changing onConfiguring Method... public class ApplicationDbContext : IdentityDbContext<ApplicationUser> { public string SchemaName { get; set; } public ApplicationDbContext(DbContextOptions<ApplicationDbContext> options) : base(options) { } public ApplicationDbContext(str...
asp.net asp.net-core asp.net-mvc c# entity-framework-core
asked by Nilesh Gajare

Refreshing Azure Active Directory access token in ASP.NET Core with dependency injection for SQL Database

I have an ASP.NET Core website (with Razor pages) that is using an Azure SQL Database with Entity Framework Core. I create the database context in the Startup.cs for dependency injection. The tricky part is that I'm using Azure Active Directory authentication against the database with Managed Identity from my App Service. So my connection string do...
asp.net-core azure azure-sql-database c# entity-framework-core
asked by silent

Fastest Entity Framework Extensions

Bulk Insert
Bulk Delete
Bulk Update
Bulk Merge
View more on Stack Overflow

Prime Library

Performance

Expression Evaluator

More Projects...

Related

Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow