I’m creating an app where in, a client sends a request to the server and in turn gets a unique request id. This unique request id would be used later authenticate the client when it wants to interact again with the server.
The request of client are of two types:
- New request, where it has no existing id and the response from the
server generates and returns an id. - Existing request with the id. The server then processes the clients
request for the id supplied.
My problem is how do I generate the id? I’m using Java and MySQL server database. If I use an auto-incremented database generated id, then it becomes too easy for the client to guess the ids. Another client could maliciously generate a few ids by guessing and misuse them (There is no authentication between the client/sever, except for the ids :< )
If I generate a random id using UUID or some other randomize algorithm, then I need to check the entire database (which could have thousands of records), to really check and guarantee if the random id is unique indeed? Or would it be fast inside the database to check if the id exits and won’t cause performance issues?
What measures should I take? Do I need to have more security measures for authentication between the client and the server, other than the unique id?
Using
java.util.UUID.randomUUID();you can generate a cryptographically secure, random UUID.Since the UUID is 128 bit long, the chance for a collision is negligible, but if you really want to check for collisions, you can do that by storing active UUIDs in the database and check for duplicates after generation.