Every website I go to: microsoft.com, gmail, minecraft.net, yahoo.com, except for facebook, and look at someone’s profile, the query string for the profile page is encrypted. I mean the profile page name is encrypted. Why is this? why can’t the query string just be something like: http://www.minecraft.com/profilepage.aspx?ProfilePageName=Fred instead of http://www.minecraft.com/profilepage.aspx?mts=ee3234423edder3443e
For my website, the querystring is as simple as pp=Fred and I’m worried that there is a security risk involved with doing this. Is there? Or are website just overprotective?
Stops you being able to guess profile pages. Which could be a good thing or a bad thing depending on the site
Stops leaking of usernames through the http referrer header
Gives the pages less chance of breaking (or being flat out wrong) if the users can change their profile names. For example – I’m a member on your site and my name is Bob. Then I change it to Bruce. Anyone that linked to Bob might get a 404, or might get another Bob