| ▲ | delifue a day ago |
| With proper data permission check, having predictable ID is totally fine. And UUIDv7's random part is large enough so that it's much harder to predict than auto increment id. If your security relies on attacker don't know your ID (you don't do proper data permission check), your security is flawed. |
|
| ▲ | pinkgolem a day ago | parent [-] |
| Is that not quit commen for invites/no user account shares? |
| |
| ▲ | javawizard a day ago | parent [-] | | Indeed, but one could easily argue that 128 bits of entropy aren't sufficient for a good invite token in the first place. | | |
| ▲ | pinkgolem a day ago | parent [-] | | I am just puzzled why delifue calls something that, as far as I know is pretty standard across the industrie, bad practice | | |
| ▲ | treve a day ago | parent | next [-] | | There's 2 cases being discussed. A UUIDv7 is a bad secret, but it's fine for many other ids. If I can guess your user id, it shouldn't really matter because your business logic should prevent me from doing anything with that information. If I can guess your password reset token it's a different story because I don't need anything else beyond that token to do damage. | |
| ▲ | nesarkvechnep a day ago | parent | prev [-] | | Because it is? | | |
|
|
|
