Menu
I was recently told that using mongodb _id fields in a URL is unsafe. I was wondering if that's true.
My site is restricted to registered users, and every user has their URL endpoints which contains an id from mongo. It's the typical mongodb _id field - a SHA1. AFAIK, the id is unguessable, and even if someone hits upon someone else's id, session based authentication in my app doesn't allow access. No one has direct database access other than the application itself.
I'm curious to know if there's anything I'm missing.
Edit: Clarified question. (mongodb ObjectIDs aren't SHA1s)
884
No matter if it's MongoDb, SQL or any other id. Id is the key to data. If this key is only thing you need to view content that you should not - that's an issue.
Is it ok to use Mongo's “Object ID” as its unique identifier? Yes, it is intended for this purpose. Making unique IDs can be a pain in sharded environments, so MongoDB does this for you.
They simply offer global uniqueness.
MongoDB is a NoSQL database that operates with collections and documents. Each document created on MongoDB has a unique object ID property. So when creating a document without entering an ID, the document will be created with an auto-generated ID.
_id field from MongoDB is (by default) of type ObjectID. It is not a SHA1.
And its string representation (like 4ed7cbfd1d96406ca0000015 is, for sure, URL-safe. I use it everywhere.
I mean, it is safe to expose it everywhere where you would put a regular int identifier (/products/3 or /users/42 or whatever).
On your site you should check if a user is logged in and if he has access to given URL. You should not blindly allow users to visit URLs with ObjectIDs in them, just because they (ids) are not easy to guess (they're easier than SHA1, though)
190
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
