Home/ Questions/Q 7028227
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T00:21:34+00:00

I expect this’s been asked before but haven’t really found an appropriate answer here

  • 0

I expect this’s been asked before but haven’t really found an appropriate answer here and also don’t have the time to come up with my own solution…

If we have a user table with int identity primary key then our users have consecutive IDs while they register on the site.

The we have user public profile page on the site URL:

www.somesite.com/user/1234

where 1234 is the actual user ID. There is nothing vulnerable to see user’s ID per se, but it does give anyone the ability to check how many users are registered on my site… Manually increasing the number eventually gets me to an invalid profile.

This is the main reason why I wand a reversible ID mapping to a seemingly random number with fixed length:

www.somesite.com/user/6123978458176573

Can you point me to a simple class that does this mapping? It is of course important that this mapping is simply reversible otherwise I’d have to save the mapping along with other user’s data.

I want to avoid GUIDs

GUIDs are slower to index search them because they’re not consecutive so SQL has to scan the whole index to match a particular GUID instead just a particular calculated index page…

If I’d have ID + GUID then I would always need to fetch original user ID to do any meaningful data manipulation which is again speed degradation…

A mathematical reversible integer permutation seems the fastest solution…

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would 100% go with the “Add a GUID column to the table” approach. It will take seconds to generate one for each current user, and update your insert procedure to generate one for each new user. This is the best solution.

    However, if you really dont want to take that approach there are any number of obfuscation techniques you could use.

    Simply Base64 encoding the string representation of your number is one (bad) way to do it.

        static public string EncodeTo64(string toEncode)
    {

      byte[] toEncodeAsBytes
            = System.Text.ASCIIEncoding.ASCII.GetBytes(toEncode);
      string returnValue
            = System.Convert.ToBase64String(toEncodeAsBytes);
      return returnValue;
    }

    static public string DecodeFrom64(string encodedData)
    {
      byte[] encodedDataAsBytes
          = System.Convert.FromBase64String(encodedData);
      string returnValue =
         System.Text.ASCIIEncoding.ASCII.GetString(encodedDataAsBytes);
      return returnValue;
    }

    Bad because anyone with half an ounce of technical knowledge (hackers/scriptkiddies tend to have that in abundance) will instantly recognise the result as Base64 and easily reverse-engineer.

    Edit: This blogpost Obfuscating IDs in URLs with Rails provides quite a workable example. Converting to C# gives you something like:

    static int Prime = 1580030173;
static int PrimeInverse = 59260789;

public static int EncodeId(int input)
{
    return (input * Prime) & int.MaxValue;
}

public static int DecodeId(int input)
{
    return (input * PrimeInverse) & int.MaxValue;
}

    Input –> Output
    1234 –> 1989564746
    5678 –> 1372124598
    5679 –> 804671123

    This follow up post by another author explains how to secure this a little bit more with a random XOR, as well as how to calculate Prime and PrimeInverse – ive just used the pre-canned ones from the original blog for demo.

    • 0