Should I be obfuscating database IDs from my users?

Question

I'm being told that I shouldn't be using database IDs directly in HTML code in web applications.

Currently I use the IDs on things like table row IDs (tableRow-454 where 454 is the ID of the row in the DB), in hidden or selects fields in forms or in URLs. (I'm not referring to telling people visually on a page that they are ####.)

The recommendation I was given was to use some math to obfuscate the ID from the user. I'm thinking this will only make things more complicated and add unnecessary complexity. But I can see some good reasons to make it more difficult to determine a database ID from the HTML.

Do you obfuscate the IDs from the user? Or do you care?

Answer 1

No, you're just making extra work for yourself.

As long as you're doing enough testing that changing an ID here or there won't give the users access to something they shouldn't then you're fine having the IDs visible.

In some situations it can be beneficial to hide them or have non-sequential numbers, or maybe not starting counting from zero. For example if someone got order number 3 they might start asking questions...

Answer 2

IMO: No, you shouldn't obfuscate IDs. If security is a concern for your application, you need other security measures anyway. Security by obscurity is not enough, it just gives you a false sense of security.

BTW, if you do just a little math, chances are that other IDs - obscured too - are still predictable. In many cases, the bad guy doesn't care which account he breaks into, as long as it isn't his own ;-)