ASP.NET Core: how to hide database ids?
asp.net-core azure-sql-database database entity-framework-core sql-server
Question
Maybe this has been asked a lot, but I can't find a comprehensive post about it.
Q: What are the options when you don't want to pass the ids from database to the frontend? You don't want the user to be able to see how many records are in your database.
What I found/heard so far:
- Encrypt and decrypt the Id on backend
- Use a GUID instead of a numeric auto-incremented Id as PK
- Use a GUID together with an auto-incremented Id as PK
Q: Do you know any other or do you have experience with any of these? What are the performance and technical issues? Please provide documentation and blog posts on this topic if you know any.
Accepted Answer
Two things:
The sheer existence of an id doesn't tell you anything about how many records are in a database. Even if the id is something like
10, that doesn't mean there's only 10 records; it's just likely the tenth that was created.Exposing ids has nothing to do with security, one way or another. Ids only have a meaning in the context of the database table they reside in. Therefore, in order to discern anything based on an id, the user would have to have access directly to your database. If that's the case, you've got far more issues than whether or not you exposed an id.
If users shouldn't be able to access certain ids, such as perhaps an edit page, where an id is passed as part of the URL, then you control that via row-level access policies, not by obfuscating or attempting to hide the id. Security by obscurity is not security.
That said, if you're just totally against the idea of sequential ids, then use GUIDs. There is no performance impact to using GUIDs. It's still a clustered index, just as any other primary key. They take up more space than something like an int, obviously, but we're talking a difference of 12 bytes per id - hardly anything to worry about with today's storage.
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow