Geek Answers Handbook

Is it possible to turn mongo ObjectId into a string and use it for urls?

document/show?id=4cf8ce8a8aad6957ff00005b
+4
source share
2 answers

Generally, I think you should be careful to expose the client internals (e.g. database identifiers). The URL can be easily manipulated, and the user has access to objects that you do not want to have.

For MongoDB in a special case, the object identifier may even detect some additional internal elements (see here ), that is, they are not completely random. This can also be a problem.

In addition, I think that there is no reason not to use an identifier.

+9
source

I generally agree with @MartinStettner's answer. I wanted to add a few points, mainly working on what he said. Yes, a small amount of information can be decoded from ObjectId. This is trivially available if someone recognizes this as the ObjectID of a MongoDB object. Two minutes are:

  • This may allow someone to guess another valid ObjectId and request that object.
  • It can display information about the record (for example, the date it was created) or a server that you do not want someone to have.

The โ€œcorrectโ€ correction for the first element is to implement some kind of real access control: 1) the user must log in with the username and password, 2) the object is associated with this username, 3) only the application serves the objects for the user associated with this username.

MongoDB does not do this itself; you will have to rely on other means. Perhaps your web application structure and / or some kind of special access control list (which may itself be in MongoDB).

But here is a โ€œquick fixโ€ that basically solves both problems: create another โ€œidโ€ for the record, based on a large quality random number.

How big is the big one? A 128-bit random number has 3.4 * 10 ^ 38 possible values. Therefore, if you have 10,000,000 objects in your database, someone guessing the real value is a vanishingly small probability: 1 in 3.4 * 10 ^ 31. Not good enough? Use a 256 bit random number ... or higher!

How to present this number in a document? You can use a string (encoding a number as hex or base64) or the binary type MongoDB. (Refer to the driver API documentation for how to create a binary as part of the document.)

While you can add a new field to your document to save this, you will also need an index. Thus, the size of the document is larger, and you spend more memory on this index. Here's what you might not be able to do: just use the "really random identifier" as the "_id" field of your documents. Thus, the size of each document is slightly larger, and you are using a pointer that you [probably] had there anyway.

+7
source

More articles:


All Articles