{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 【Aperson】 的问题《Are IDs (ObjectIds from mongo) safe to use in a UR》','https://www.manongdao.com/q-1253558.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I was recently told that using mongodb _id fields in a URL is unsafe. I was wondering if that's true.
My site is restricted to registered users, and every user has their URL endpoints which contains an id from mongo. It's the typical mongodb _id field - a SHA1. AFAIK, the id is unguessable, and even if someone hits upon someone else's id, session based authentication in my app doesn't allow access. No one has direct database access other than the application itself.
I'm curious to know if there's anything I'm missing.
Edit: Clarified question. (mongodb ObjectIDs aren't SHA1s)
It's rather good idea to use seemingly random string as _id (or create guid) in URL rather than number. If you have public API, user/1001, user/20032 its just begging for hackers to guess next number and get onto random user info.
_idfield from MongoDB is (by default) of type ObjectID. It is not a SHA1.And its string representation (like
4ed7cbfd1d96406ca0000015is, for sure, URL-safe. I use it everywhere.I mean, it is safe to expose it everywhere where you would put a regular int identifier (
/products/3or/users/42or whatever).On your site you should check if a user is logged in and if he has access to given URL. You should not blindly allow users to visit URLs with ObjectIDs in them, just because they (ids) are not easy to guess (they're easier than SHA1, though)