Is it safe to store and share the generated ObjectID (_Id) fields outside of MongoDB?

134 views
Skip to first unread message

Daniel Kugel

unread,
Oct 25, 2015, 6:57:25 AM10/25/15
to mongodb-user
Hello,
We're using MongoDB as our store and I wanted to know if its a good idea to use the generated _id field as the document or entity identifier outside of MongoDB as well?
On one hand it's relatively unique and looks good enough to be used as an id considering its value is meaningless to anything except MongoDB. So the reason to use it is because its easy and looks sane.
On the other hand it's in implementation/internal detail of the data store and sharing implementation/internal details feels wrong. My question is under which scenario the fact I'm using MongoDB ObjectIDs as my entity identifiers in my application might bite me?
Migration? MongoDB vNext? Moving to a different store?
I'm interested in any such scenarios and how exactly they are problematic for me.

Wan Bachtiar

unread,
Nov 10, 2015, 10:50:58 PM11/10/15
to mongodb-user

Hi Daniel,

MongoDB ObjectID is constructed from 4 different parts (time, machine id, process id and a counter starting with a random value) to act as a unique identifier for primary keys.

You can also retrieve the time portion out of ObjectID to find out when the ID was created using ObjectId.getTimestamp() i.e:

ObjectId("563fe76d3aa6353fd35ea520").getTimestamp()

If you are treating the ObjectID as a unique identifier, this should be fine.

In terms of store migration, as long as you are able to either create a new ID format or continuing the format without colliding with any existing IDs there should be no issue. The incremental timestamp value should be able to help in that aspect.

If you are thinking of exposing ObjectIDs externally, you would need to look into the security aspect of it as well. As ObjectIDs are not hashes, given ‘enough’ time they can be ‘predicted’. You should look at approaches to detect and mitigate any ‘brute-force’ attacks. Regardless of your ID format, this should remove the aspect of giving an adversary enough time to try all possible combinations.

For example, obvious signatures to detect brute force attacks might include:

  • A large number of 404 requests from a specific IP address.
  • Successive requests for incremental ObjectIDs (which should be rare).
  • Invalid ObjectIDs (if the adversary is unaware of the expected format).


Regards,

Wan.


Reply all
Reply to author
Forward
0 new messages