[Catalyst] Encrypt /Decrypt URI

[Matija Grabnar]

Bill Moseley wrote:
> Last time I checked there were an infinite of integers.  (And I'm not
> planning on counting them again.)
>   
I feel that we are talking past each other. Perhaps I was insufficiently 
clear in my writing.
I don't have a special preference for alphabetic strings over numeric 
strings. I just feel that the identifiers should not be allocated in a 
trivially predictable order, **particularly** in situations where 
publicly accessible content is mixed with restricted (or as yet 
unreleased) content.
> Using md5s for images, as in your example, is fine.  But if the images
> really needed to be protected then that scheme is purely security by
> obscurity.
Um, yes. As are passwords. And many other means of authentication.
>   That's what we were talking about -- the case where some
> user might type in the next sequence and see someone else's data.  If
> the images belonged to users you would probably want to make sure the
> request is authorized to view the image instead of relying on just
> obscuring the url.
>   
I refer you to my previous note on a real-life example of a system where 
that would be relatively difficult, and significantly more complex.
> Adding layers of security are fine -- but you have to be careful that
> the added complexity doesn't also make it easier to leave open a hole.
I definitely agree. However, I fail to see how using a long numeric (or 
alphanumeric, doesn't really matter) string instead of a simply 
incrementing table key would open a hole. Perhaps you could describe to 
me where you see the danger in this approach?