Home/ Questions/Q 6989555
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T19:13:39+00:00

I was recently told that using mongodb _id fields in a URL is unsafe.

  • 0

I was recently told that using mongodb _id fields in a URL is unsafe. I was wondering if that’s true.

My site is restricted to registered users, and every user has their URL endpoints which contains an id from mongo. It’s the typical mongodb _id field – a SHA1. AFAIK, the id is unguessable, and even if someone hits upon someone else’s id, session based authentication in my app doesn’t allow access. No one has direct database access other than the application itself.

I’m curious to know if there’s anything I’m missing.

Edit: Clarified question. (mongodb ObjectIDs aren’t SHA1s)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    _id field from MongoDB is (by default) of type ObjectID. It is not a SHA1.

    And its string representation (like 4ed7cbfd1d96406ca0000015 is, for sure, URL-safe. I use it everywhere.

    I mean, it is safe to expose it everywhere where you would put a regular int identifier (/products/3 or /users/42 or whatever).

    On your site you should check if a user is logged in and if he has access to given URL. You should not blindly allow users to visit URLs with ObjectIDs in them, just because they (ids) are not easy to guess (they’re easier than SHA1, though)

    • 0