Is there any security concern with displaying the Key value to users in a URL?

Question

I am using the Key value of entities in my datastore as the unique identifier in the URL for pulling up a record:

http://mysite.appspot.com/myaction/1x7s3fgdlbnRlcklkcicLAbcXc2VyQWNjb3VudCIFYW9uZ

This is not a very attractive solution, nor is it SEO friendly, but it's the easiest way I've found to identify an entity uniquely in App Engine/Java.

My main concern, though, is whether there is any security concern related to displaying the unique Key value for the entity?

Answer 1

The encoded key contains your app ID, namespace (if any), entity kind name, and key name or ID. There's two possible issues here: the disclosure of that information (probably not problematic), and the fact that you're accepting an encoded key. If you don't check that the entity specified by the key being passed in is of the correct kind, and that the user should have access to it, then they could pass in their own key to cause you to disclose information you shouldn't.

Almost universally, however, you already know the kind name of the entity you're fetching, so a much better idea is to use just the key name or ID of the key, and construct the full key on demand. This also makes for much cleaner URLs.

Answer 2

The security concern is that a potential hacker knows something, however small, about your database.

If parts of your database are ever compromised the entity id could prove useful for the hacker.

Like you I don't really like displaying database IDs but IF you secure your application properly it isn't worth worrying about as knowing the entity id isn't going to be useful.