I'm developing a web app and I'm wondering if exposing UserIds to the clients is potentially posing a security vulnerability. (By UserId I refer to the Id of an Identity user object created by the Identity Framework and used as a PK of the users table.)
To give some context or an example: in my app, I need to distinguish between content that is posted by the signed in user and the content that was posted by others. In a naive approach, I would just compare the UserId of the content to the UserId of the currently authenticated user. But that would mean that the client sees the Ids of all involved users.
My gut feeling tells me that this is not a good idea but I couldn't pinpoint to why. So, I wonder if there's a guideline around this question. Maybe it's just the general rule to reduce the surface of knowledge that is exposed to a minimum.
If this is the case, how should I proceed? Would hashing of the UserId help to solve the problem or are there better approaches around?
EDIT
The example I made is not the best because this problem can easily be solved on the back-end by comparing user IDs there and then sending the contents to the client already tagged as "mine" or "by others". But still, the general question remains.
If user IDs are themselves sensitive data,for example, your primary keys for some reason happen to be social security numbers, that'll definitely be a security and privacy liability. If your user IDs are just auto-increment numbers though, it should be fine.
It is always best to expose a unique identifier other than the primary key outside your system. It gives you more flexibility in resolving data mix-ups, dealing with data migration issues, and in otherwise future-proofing your system.
If UIDs are just identifiers for users. Knowing a user's UID does not grant you any permissions that are associated with that user. Sharing the UID in URLs is about as safe as sharing your username on Github, or your unique ID on Stack Overflow.
Stack Overflow displays user IDs in their URLs in order to make user profile lookups work: https://stackoverflow.com/users/10158551/xing-zou
Anyway, it is up to your design and you need to consider more than we could.
Refer to Should I expose a user ID to public?