Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m designing an API that interacts with MongoDB.
Now the question is, if it is safe to use the raw ObjectID to query for objects etc. Could any security issues arise when using the OIDs directly (e.g. in queries), or should I encrypt/decrypt them before they leave my server environment?
Look at BSON Object ID specification here and you will know if it is safe for you to use.
If you try to protect from users sending different URLs from scripts (fuskators) then it seems for me it has weak security. There won’t be too many ‘machine’, ‘pid’ part combinations. ‘time’ part can calculated if attacker can have an idea how data was inserted (especially if using batch). ‘inc’ – very weak.
I won’t trust ObjectIDs as the only security.
Please note there can’t be a right answer to the question “is it safe” in general. You must decide yourself.
PS. But keep in mind that such URL-based security will fall to dust when users will share URLs they visited. Even best your encryption won’t help.