I was wondering if anyone had thoughts on the most efficient way of
making sure users never see internal table IDs? Clearly, scaffold views
show a lot of IDs by default and those can be hidden. The problem seems
to be all of the IDs that Rails passes around in URLs (such as
My primary concerns are security and confidentiality–one can imagine
that there are exploits that could involve knowledge about ID numbers or
simply guessing random table row IDs and putting them into URLs to see
what happens. Combined with a few coding mistakes this could lead to a
catastrophic security/privacy breakdown. I’m also concerned about the
ability of clever people to discern how how much activity/signups a
commercial web site is getting by looking at auto-incremented ID numbers
that are assigned to various signups/posts/etc (various schemes for
implementing non-sequential IDs all seem kludgy and inefficient to me,
but willing to be corrected as always).
Surely I can’t be the first person to ponder this issue. Any thoughts at
all are appreciated.