Reputation: 3018
C# mongodb ObjectId useage risks
I was watching on Mongodb ObjectId object. It seems to be non-safe object to expose to my client (even its his own SessionId). Though im using the following code to generate random ObjectIds:
var timestamp = DateTime.UtcNow;
var machine = _random.Next(10000, 75757575);
var pid = (short)_random.Next(10000, 75757575);
var increment = _random.Next(10000, 75757575);
return new ObjectId(timestamp, machine, pid, increment);
I get sequential ids sometimes and I dont want the user to be able to guess 1 million ids and finally catches a real one.
Is there any way to still use mongodb on c# and maintain a secure id? Now, some say "use https", but that's not the issue. Someone can log into the web, get a sessionId of type ObjectId and try to guess.
How can I reduce the likelyhood of something like that to happen?
Upvotes: 0
Views: 236
Answers (1)
Reputation: 37048
If you have any sensitive information stored in the DB, you should apply some ACL rules in your application to decide whether user can retrieve data by objectId or not.
Upvotes: 1
Related Questions
- Delete everything in a MongoDB database
- How do you rename a MongoDB database?
- How do I perform the SQL Join equivalent in MongoDB?
- How do I drop a MongoDB database from the command line?
- How to query MongoDB with "like"
- MongoDB relationships: embed or reference?
- How to get the last N records in mongodb?
- Find MongoDB records where array field is not empty
- How can I list all collections in the MongoDB shell?