Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should Google Appengine userId be treated as a secret?

Just wondering if the userId returned by calling the user.getUserId() should be treated as a secret, or can it be used in public URLs? for example, the profile page URLs look something like http://example.com/userprofile/11901930903930 where 11901930903930 is the Google generated userId on Appengine.

This is the function we are using to get the userId:

UserService userService = UserServiceFactory.getUserService();
User user = userService.getCurrentUser();

String id = user.getUserId();
like image 551
xtrahelp.com Avatar asked May 15 '12 02:05

xtrahelp.com


1 Answers

Actually, I found this info on Google and the conclusion is that they should not be used publicly.

From Google:

Accessing Account Information

While a user is signed in to an app, the app can access the account's email address or OpenID identifier for every request the user makes to the app. The app can also access a user ID that identifies the user uniquely, even if the user changes the email address for her account.

The app can also determine whether the current user is an administrator (a "developer") for the app. You can use this feature to build administrative features for the app, even if you don't authenticate other users. The Go, Java, and Python APIs make it easy to configure URLs as "administrator only."

Note: Every user has the same user ID for all App Engine applications. If your app uses the user ID in public data, such as by including it in a URL parameter, you should use a hash algorithm with a "salt" value added to obscure the ID. Exposing raw IDs could allow someone to associate a user's activity in one app with that in another, or get the user's email address by coercing the user to sign in to another app.

Link to page

like image 88
xtrahelp.com Avatar answered Oct 13 '22 07:10

xtrahelp.com