You could use the server timestamp as a user identifier, but still use the auto inc id for back end stiff. Either way the info that is displayed will in some way relate to the db.

Mack.

yeah I'm aware it will in someway relate to the DB, just didn't know if there were some wider security implications to not exposing the PK. As you say it might be better to use the PK for back end stuff, updates and inserts and the other hash as a read only identifier.

I'm not aware of any security reason for hiding this piece of data, unless any of your scripts blindly trusts it to be the ID of the logged in user. If that's the case, a malicious person could easily guess valid IDs of other users and do harm.

But there are some good reasons not to expose this value. For sites just starting out, you may not want to expose the fact that your user base is small. For many, it's common practice to initialize the starting value at some larger number, say 10000. Then again, for some users it is a point of pride to have a low user ID.

Another reason not to expose the number is for SEO or just having nicer URLs. Instead of /profile.php?memberId=123 you could have /profile/username

What I do is, maintain a separate field in addition to username that is set to a lowercase version of username with spaces stripped out. So if the username is Cool Guy, this other field will be coolguy. And I'd use that as the visible key in a URL like /profile/coolguy