Using Entity Id's or GUID's  as screen input variable / URL query parameter

Some people want to avoid using entity id's as screen input parameter, which appear in URL query parameters, because hackers could manipulate the query parameter and might access unauthorized information.

They propose to use a GUID/UUID instead so that screen input parameter cannot be 'guessed'.

But in my opinion this is not a safe solution. You should always validate the query parameter value at server side.

For instance, if a customer enters an order detail screen by clicking an order and the order id is passed through a URL query parameter, the aggregate that fetches the order detail should also check whether this customer has access to this order. So by changing the URL parameter he cannot see orders of other customers.

Like this:

SELECT Order.Id FROM Orders INNER JOIN CustomerOrder ON CustomerOrder.OrderId = Orders.Id WHERE Orders.Id = OrderId AND CustomerOrder.UserId = GetUserId()

If you do not validate the query parameter but use unguessable GUID's only, it might seem safe but, if someone captures the GUID by watching somebody's screen or retrieves it by other means, somebody can enter this as query parameter when logged in with another account and access unauthorized information.

So the GUID solution (only) is not safe!

My question is: why should we use GUID's at all and not just pass the entity Id? Is there any other reason for this?

mvp_badge
MVP

Hi Rogier,

Good topic for a discussion!

First I fully agree, using a GUID doesn't make it safer, just less easy to mess around. Server side validation is always a must.

But there are some advantages of a GUID over an Integer Auto number:

  • Less meaningful Identifiers (Employee number 2 is probably longer with the company than Employee number 58)
  • You want the data to be uniquely-identified, no matter where it came from
  • You need to be able to combine data from difference sources with little-to-no chance of duplicate GUIDs.
  • Furthermore, you don't want or don't care about the users needing to remember an ID themselves.

I recently posted an Idea about adding more GUID capabilities to the platform, as the OutSystems Dynamic Case Management Framework makes extensive use of them. 

https://www.outsystems.com/ideas/10485/add-a-guid-data-type-support-to-outsystems-platform

Regards,

Daniel

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.