We’re designing the URL structure for our web app and want to use RESTful, meaningful URLs. In our system, a url for a given account would look like app/accounts/62/details where 62 was the key in a numeric, auto-incrementing index.
Is there any problem with this approach? Users would have login access to their respective accounts, so it’s not like users would be able to access other accounts by changing the account number. But is there any issue with exposing an record ID like that, or any reason why it would make sense to mask it in a hash?
There are a number of concerns – they may not apply…
Firstly, “information leaking” may be a worry. For instance, a competitor who wanted to know how many customers/orders you’ve had could traverse the URLs until you sent him a 404. In some cases, you can avoid this by requiring users to log in before you decide whether to send the 404; in others, you can’t.
A more conceptual concern is that primary keys are usually meaningless to users – so many sites have URLs like app/accounts/homer.simpson/details, with a disambiguation strategy to allow more than 1 Homer Simpson (Facebook, LinkedIn, Twitter all do this).