And if you consider knowledge of the id sufficient for access.
Which, despite the fact that it really shouldn't be, still seems to occur every so often. Even in situations where the ids are very much not random.
Honestly if I have to read one more article about a 'hacker' who 'leaked' some secret government piece ahead of time because they thought to increment the date in the url of some yearly report, I'm going to lose my mind.
I don't understand. What part of this requires that one considers knowledge of the ID sufficient for access? And what kind of access are you talking about?
The performance benefits of index friendly user IDs seem like they would apply even if all user info is secret and requires a token to access... The application still has to look up the user by ID after all?
If I imagine a basic authenticated "get information about me" style endpoint, that would take a user ID and an authentication token. Checking if the token is valid is faster if the user ID is index friendly. Getting the requested information is faster if the user ID is index friendly. Yet a user of the API still needs both the user ID and a token to access anything.
Which, despite the fact that it really shouldn't be, still seems to occur every so often. Even in situations where the ids are very much not random.
Honestly if I have to read one more article about a 'hacker' who 'leaked' some secret government piece ahead of time because they thought to increment the date in the url of some yearly report, I'm going to lose my mind.