Log message #4019753

# At Username Text
# Apr 24th 2017, 10:34 bravo-kernel I might have remember incorrectly though ;)
# Apr 24th 2017, 10:33 bravo-kernel Obfuscating numeric id using one of the strategies would make it near impossible to harvest using url guesses
# Apr 24th 2017, 10:33 bravo-kernel I do recall firm statements about not using uuid to not kill performance
# Apr 24th 2017, 10:32 bravo-kernel Check
# Apr 24th 2017, 10:31 dereuromark bravo: no its not :slightly_smiling_face: it appears to be - which sometimes can be enough
# Apr 24th 2017, 10:31 bravo-kernel Imo
# Apr 24th 2017, 10:31 bravo-kernel Obfuscation is as secure as it gets
# Apr 24th 2017, 10:31 dereuromark if you do, use uuid16 :slightly_smiling_face:
# Apr 24th 2017, 10:30 bravo-kernel Ask @dereuromark, do not use uiid for primary ids
# Apr 24th 2017, 10:27 spriz Sneaky :)
# Apr 24th 2017, 10:24 NeoThermic|Work e.g (sorry for the function chain, but to get one line): $base36uuid = gmp_strval(gmp_init(str_replace('-', '', CakeText::uuid()), 16) , 36);
# Apr 24th 2017, 10:22 NeoThermic|Work doubly so since you can express them as base 36 (once you remove the dashes) for shorter strings in URIs
# Apr 24th 2017, 10:21 NeoThermic|Work UUIDs are a great choice
# Apr 24th 2017, 10:21 spriz UUID for primary keys <3
# Apr 24th 2017, 10:20 NeoThermic|Work I don't suggest muffin/obfuscate if you want any degree of actual secrecy, mind
# Apr 24th 2017, 10:20 NeoThermic|Work hmm
# Apr 24th 2017, 10:19 birdy247 ah I read as optimal :slightly_smiling_face:
# Apr 24th 2017, 10:19 bravo-kernel Gotta go, gl guys and girls
# Apr 24th 2017, 10:18 bravo-kernel Simply put: a must IMHO
# Apr 24th 2017, 10:18 bravo-kernel :face_with_rolling_eyes:
# Apr 24th 2017, 10:18 bravo-kernel Not optional
# Apr 24th 2017, 10:18 birdy247 Not optimal?
# Apr 24th 2017, 10:17 bravo-kernel No problem
# Apr 24th 2017, 10:17 bravo-kernel Using JsonApiListener is not even optional anymore IMO
# Apr 24th 2017, 10:16 birdy247 big thanks for writing that
# Apr 24th 2017, 10:16 birdy247 @bravo-kernel great API blog post
# Apr 24th 2017, 10:16 birdy247 :)
# Apr 24th 2017, 10:16 bravo-kernel s/use/you might want to use/
# Apr 24th 2017, 10:15 bravo-kernel @birdy use muffin/obfuscate if you want to hide your (auto incremental) ids
# Apr 24th 2017, 10:14 Neon1024 You can thanks bravo-kernel
# Apr 24th 2017, 10:14 birdy247 the JsonApi is also sweet as
# Apr 24th 2017, 10:14 birdy247 Man, CRUD + API + Search = happy
# Apr 24th 2017, 10:05 Neon1024 https://youtu.be/3Neq2ey3mgE?t=18
# Apr 24th 2017, 10:05 Neon1024 But you’ve got a CMS so you’ve already got SSL
# Apr 24th 2017, 10:04 Neon1024 So worth some SSL at an absolute minimum
# Apr 24th 2017, 10:04 Neon1024 Will just get session hijacked, or man-in-the-middle’d etc etc
# Apr 24th 2017, 10:04 Neon1024 So something like example.com/api/v1/secret-endpoint/918?password=foobar
# Apr 24th 2017, 10:03 Neon1024 Plus, urls are transparent. Whatever is in the url is readable by anyone
# Apr 24th 2017, 10:03 Neon1024 Not that I like Phil Sturgeon, but that was a point he made in one of his api talks, and it’s a good one
# Apr 24th 2017, 10:02 birdy247 :+1:
# Apr 24th 2017, 10:02 Neon1024 If you happened to have a security hole, I could suck your database dry