About Character Owner Hash

Hello,

I would like to know if this data can be displayed in an URL or if it should be avoided?

Probably not something that you should publicly expose. What are you trying to do?

Hey, thank you for your answer.
I’m working on an app where the user is actually the character himself.
So i’m guessing how to prevent like identity confusion in the case of a character switch from an account to an other.

For now the easiest way i found was to query the user in my DB base on his character_owner_hash and if the matching between characterId and character_owner_hash change, it means that the character account have changed and eventually the human behind too.

So for this, i’m using the character_owner_hash as a query parameter in my URL.
I’m using the character_owner_hash as a UUID in my user table.

So my question could be : may i use the character owner hash publicly ? Or should i set my own UUID for each user and query each user from my Database with this UUID instead of the character owner hash.

https://docs.esi.evetech.net/docs/best_practices.html Might be helpful for you.

But I’m a bit confused on why that needs to be a query param?

1 Like

Well :

Do not use character_id as an primary identifier for a character/user link. Instead, use CharacterOwnerHash. This is so, if a character is sold, the new owner doesn’t appear to be the same as the old owner. Especially if you allow for different character logins, to reach the same master account on your system.

i will continue to use it

Thank you

One possible solve for an owner change scenario is to request the value from CCP in your ESI pull and on a returned change in that value deny new end-user queries until the character is re-authenticated. You can still use the character ID as the primary lookup against your database, with the character owner lookup happening on the backend, not exposed to end user interaction.

If you need an ID in the URL string, make it a string unique to your DB instead of specific to the character. You shouldn’t be doing authentication queries via exposed URL parameters anyway for system security reasons - put the database handshake into a script and return the unique ID for page display purposes if you have to have a URL data element for your app to function.