Comment by h33t-l4x0r
6 days ago
You might as well make them sequential if they're numeric, making them non-sequential just puts more load on your server when the brute force happens.
6 days ago
You might as well make them sequential if they're numeric, making them non-sequential just puts more load on your server when the brute force happens.
Agreed, the lack of per request auth, and a single exposed record as a raw cookie for auth are pretty egregious.
I did once have a system that started with a incremental sequence was 17, then the number was passed through a reversible obfuscation to get a 6+ character output ID... it wasn't that bad, was an inspection record for a vehicle entry... meant to be able to be shared and looked up by anyone with the sequence (semi-public), it was desired to be short, and it just moved the guess-ability factor slightly.