I’m trying to make a board with mongoDB.
I want to assign document ID with ObjectID.
If a user can access to a document page by http://www.example.com/4easdf123123 where “4easdf123123” is a mongoDB ObjectID.
Is there any possible security threat, If I use and show mongo ObjectID in URL and using it as a document id?
And any suggestion with assigning document ID with mongoDB?
That doesn’t look like a MongoDB ObjectID — an ObjectID is 12 bytes of binary data, and when rendered as a hexadecimal string (the usual way to use it in a URL) it would be 24 characters long. I assume you’re using the official PHP Mongo Driver, in which case the
MongoId class’s constructor will ignore invalid values and generate a new one for you. In any event, it’s best to let the driver generate an ObjectID/
MongoId for you, as it will do so in a way that avoids collisions.
As for the safety of using it in your URLs, you should be fine. You should, of course, use the usual precautions about implementing code to ensure that the current user has access to view the object being displayed, etc, but there is no more security risk of using an ObjectID in URL than any other database identifier (string, integer, etc), and often there is less, as the ObjectID has no semantic value (whereas a string like “adminuser” in a URL might convey that that URL relates to a user with elevated privileges).