Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I notice it is not standard practice to have a simple integer number for online shops when supplying the user an Order ID. Is this a security driven practice, or is it done to allow more orders with shorter character lengths?
If its a security driven practice, what is the best way to go about generating such an ID (considering the database likely uses an integer IDENTITY for the Order Table Primary Key)?
It’s mainly so users can’t view someone elses order.
If a user is assigned a shopping cart/order ID of 1000, it’s safe to assume there was a 999 before and possibly a 1001 after.
There are ways to secure this, like ensuring the user is logged in and the order belongs to them. You can keep an integer identity for your primary key if it’d be easier for you to work with internally.
For the public facing side though, an easy way to obfuscate an Order ID is to assign a GUID to the record. Then instead of accessing a users order from the primary key, you’d access it through the GUID.