According to OWASP Top 10 List one way to prevent insecure direct object references is to provide only indirect references. These are artificial references that are mapped to the direct (e.g. DB) references on the server. The mapping is stored in the session.
Unfortunately, this solution is not very search engine friendly. The links stored by the crawler would be invalid in another session.
Is there a way around this problem? Are there other solutions apart from mapping references or checking object access?
You are describing a problem that doesn’t exist 🙂
Everything that a search engine must be able to crawl and see has to be public, because everything a search engine can see, can be seen by everybody. For data that is expected to be public -by definition- the object reference can never be insecure. Insecure means that it is supposed to be protected.
So if you are questioning this, take a step back and look closely at your data. If it must be crawlable, why are you trying to protect it? If it should be protected, why are you supplying it to search engines.