I'm trying to make a board with mongoDB.
I want to assign document ID with ObjectID.
If a user can access to a document page by http://www.example.com/4easdf123123 where "4easdf123123" is a mongoDB ObjectID.
Is there any possible security threat, If I use and show mongo ObjectID in URL and using it as a document id?
And any suggestion with assigning document ID with mongoDB?
That doesn't look like a MongoDB ObjectID -- an ObjectID is 12 bytes of binary data, and when rendered as a hexadecimal string (the usual way to use it in a URL) it would be 24 characters long. I assume you're using the official PHP Mongo Driver, in which case the MongoId class's constructor will ignore invalid values and generate a new one for you. In any event, it's best to let the driver generate an ObjectID/MongoId for you, as it will do so in a way that avoids collisions.
As for the safety of using it in your URLs, you should be fine. You should, of course, use the usual precautions about implementing code to ensure that the current user has access to view the object being displayed, etc, but there is no more security risk of using an ObjectID in URL than any other database identifier (string, integer, etc), and often there is less, as the ObjectID has no semantic value (whereas a string like "adminuser" in a URL might convey that that URL relates to a user with elevated privileges).
ObjectIds are designed to be unique even when generated without coordination across your application. They include a timestamp, a hash of the machine ID, process or thread ID, and a 3-byte incrementing counter. You'd need to create 2^24, or about 16 million ObjectIds from the same process/thread for there to be a conflict (or run into a hash collision on the machine ID). Even if this happened, it would only be an issue if the ObjectIds in question were used in the same collection as the _id (or in another unique field). –
Bluma © 2022 - 2024 — McMap. All rights reserved.