Comment by tracker1

Agreed, the lack of per request auth, and a single exposed record as a raw cookie for auth are pretty egregious.

I did once have a system that started with a incremental sequence was 17, then the number was passed through a reversible obfuscation to get a 6+ character output ID... it wasn't that bad, was an inspection record for a vehicle entry... meant to be able to be shared and looked up by anyone with the sequence (semi-public), it was desired to be short, and it just moved the guess-ability factor slightly.