I'm doing a project where I need to have certain IDs in the GET parameters of the URL. Things like user id, song id and profile id.
Should I hash these in your opinion?
1:33 pm on Sep 13, 2011 (gmt 0)
If it's possible for another user to fake the (user/song/profile) IDs and gain access to information they shouldn't have access to or do anything they wouldn't ordinarily be able to do then I think yes, they should be hashed.
1:44 pm on Sep 13, 2011 (gmt 0)
Ok. Well they have to be logged to get there if not the system throws them another page. That good enough?
4:08 pm on Sep 13, 2011 (gmt 0)
Good enough for me or good enough for you? :)
If you are controlling what they can access based on their login then I wouldn't have thought it mattered if IDs were blatant in the URL, providing they don't give away anything personal.
However, if a logged in user can still access information they shouldn't by manipulating the URL then you would need to do something about it IMO.