MongoDB: is it safe to use document's ID "in public"?

The ObjectID documentation states that the automatically generated IDs include a 3-byte machine ID (presumably a hash of the MAC address). It's not inconceivable that someone could figure out things about your internal network by comparing those three bytes in various ids, but unless you're working for the Pentagon that doesn't seem worth worrying about (you're much more likely to be vulnerable to something more boring like a misconfigured Apache).

Other than that, Epcylon's right; there's nothing inherently insecure about exposing ids through URLs. Whether it's ugly is another matter, of course. You can base64 them to make them shorter (been thinking about this myself), but then there's the weird fact that they're all about half the same.


I have no experience with MongoDB in a production environment, so don't take my answer as the truth, but I can't imagine why it shouldn't be safe.

Compare to a Auto-ID type column in a RDBMS. You expose those to the outside all the time, I don't know of any reason for not doing the same with MongoDB ids.

As always, the security should be in validating your input and not letting anyone near your database without proper protection. Do it properly and it shouldn't matter if they know how to pick a particular object in your database, as they still can't do anything with it.


I thought mongodb _id was based on a datestamp, and sever address and other things you might prefer to keep private.

If you're worried it might be worth encrypting mongoids and using the result as a client-side identifier (and then un-encrypting when requests come back in).

If the encryption key is partially based on some unique attribute of the user or session in question, that makes it difficult for users to access content when they shouldn't.

Obviously still important to validate the user by other means!