Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are IDs (ObjectIds from mongo) safe to use in a URL?

I was recently told that using mongodb _id fields in a URL is unsafe. I was wondering if that's true.

My site is restricted to registered users, and every user has their URL endpoints which contains an id from mongo. It's the typical mongodb _id field - a SHA1. AFAIK, the id is unguessable, and even if someone hits upon someone else's id, session based authentication in my app doesn't allow access. No one has direct database access other than the application itself.

I'm curious to know if there's anything I'm missing.

Edit: Clarified question. (mongodb ObjectIDs aren't SHA1s)

like image 884
Rakesh Pai Avatar asked Dec 19 '11 12:12

Rakesh Pai


People also ask

Is it OK to expose MongoDB id?

No matter if it's MongoDb, SQL or any other id. Id is the key to data. If this key is only thing you need to view content that you should not - that's an issue.

Should I use id MongoDB?

Is it ok to use Mongo's “Object ID” as its unique identifier? Yes, it is intended for this purpose. Making unique IDs can be a pain in sharded environments, so MongoDB does this for you.

Are MongoDB IDs guessable?

They simply offer global uniqueness.

Are MongoDB IDs unique?

MongoDB is a NoSQL database that operates with collections and documents. Each document created on MongoDB has a unique object ID property. So when creating a document without entering an ID, the document will be created with an auto-generated ID.


1 Answers

_id field from MongoDB is (by default) of type ObjectID. It is not a SHA1.

And its string representation (like 4ed7cbfd1d96406ca0000015 is, for sure, URL-safe. I use it everywhere.

I mean, it is safe to expose it everywhere where you would put a regular int identifier (/products/3 or /users/42 or whatever).

On your site you should check if a user is logged in and if he has access to given URL. You should not blindly allow users to visit URLs with ObjectIDs in them, just because they (ids) are not easy to guess (they're easier than SHA1, though)

like image 190
Sergio Tulentsev Avatar answered Oct 21 '22 20:10

Sergio Tulentsev