Is exposing mongo-db objectId to the front-end a real security problem?

Question

I am currently building an e-commerce app with a cart stored in the localStorage.

To improve online payment security, I want to check the prices of my items in the backend before sending these prices to the payment platform.

The values of my items are not unique: some items can have the same value if they are in different categories. That is the reasom I wanted to store ObjectId inside my cart (localStorage) and send all these objectIds to my backend to easily check the prices.

But I read that exposing database Id to the user is a bad practice.

My questions are: Is it really a bad practice ? Why ? How can do it differently without adding any complexity ?

Thanks for your help

Answer 1

An ObjectID contains 3 things:

• time the ObjectID was created, in seconds since epoch
• 5-byte random value set when the process was started. This is the process that created the ObjectID, usually the client/application machine
• 3-byte counter which is initialized to a random value, and is incremented for every ObjectID created by that client

An _id value in a MongoDB collection must be unique, so whether it contains an ObjectID or not, it uniquely identifies a single document in the collection.

Exposing the _id value in MongoDB is no more or less risky than exposing a unique primary key in any other database.

Exposing an ObjectID of any kind, not just in the _id field, leaks the creation time of that value. Whether this is a problem will greatly depend on context.

If the potential problem is the timestamp contained in the ObjectID, use some other method to generate unique values to use in the _id field.