We have a ‘users’ table with an incrementing integer as id (doesn’t everyone have this?).
Is there any risk to use this ID for example in something like PostHog / sentry to identify the user?
And also, is there any risk in exposing this ID to the user’s browser?
I’ve considered generating a UUID for every user to use that as a ‘public’ id. But I just can’t imagine the benefit. The downside is that it’s simply more work to create this and manage this.
It depends on the use-case, but most applications store the id as an incrementing integer. The risk with incrementing integer is that you often know that user 1 is the admin and you can easily scrape all public users profiles if they are simply accessed by the user id. Further the id should not have any security risk.
To protect against scraping or them guessing the admin you can use UUID or some other unique identifier. Here at the discourse forums they simply use the username for the profile link which must be unique.
Thank you! Just double checking: you mean for example that there’s public profiles accessible at website.com/user/1 ?
Yes, having an incremental number makes it easy to scrape a site.
for (let i = 0; i < 1000; i++) {
fetch('https://website.com/user/' + i);
}
Having a unique identifier makes it more difficult.
For the rest I don’t think there is a mayor security risk, the id doesn’t hold any personal information like for example an email does.