The dangers of hashing known plain text

First of all, you shouldn't provide access to any resource, just based on the uri. In other words, user A should not have access to a resource owned by user B, even if he knows the corresponding uri. To mitigate this, you must add some form of authentication and authorization before allowing access to any (confidential?) Resources.

However, if you still want to obfuscate the uri, you can use a GUID to do this instead of generating some kind of hash. Instead, before each order ID, just store the GUID along with it, and then look at that ID when the GUID is used in the url.

A sidenote: . If you want your customers to view some of the order details based simply on the URL (i.e. no identification required), you could at least temporarily grant the availability of the resource. You can do this by storing, for example, a valid to date along with a GUID.

Now user A will be able to see information related to his resource using the URL with a guide, but maybe only for, for example, 3 days. Other users will be able to access it as well, but this will be less likely because it would be difficult to guess the GUID and because they will only have a 3-day window to do so.

If User A needs to access their resource again, perhaps you can provide a way to extend the GUID or, alternatively, simply provide a new GUID pointing to the same resource but with a different validity date.

Obviously, you will need the thing, regardless of whether it is realistic / acceptable for your specific situation and security needs.