Sounds like you have a major problem if knowing someone else's customer id is a problem!

It's only dangerous to know someone's id when knowing someone's id is sufficient to impersonate the person. That's usually the case for session ids*, and is inexcusable anywhere else.

And if you think 5 digits would be sufficient in that case, you're quite mistaken! It would take but seconds to find a valid id! (50 attempts on average if you have 1000 customers.) Session ids are usually 8 times longer (128 bit rather than 16).

* — And even then, the risk is mitigated by binding the session id to the user's IP address and expiring the session id on short order.