MongoDB: is it safe to use document's ID “in public”?

Question

I really like MongoDB\'s automatically generated ids. They are really useful.

However, is it save to use them publicly?

Let\'s say there is a posts collecti

Answer 1

Perhaps think of this more as a privacy than security issue.

I'm facing exactly the same issue. In storing user contributed content in web-accessible directories based on the Mongo-generated ID, there's a risk if those IDs are predictable that one user could access another user's content.

I think the advice of others is the right route: knowing the URL of user-specific private content shouldn't be enough to access it. An attempt to access should check the matching user is making the request.

I intend to do this in Symfony2 by storing the user content outside of the web root, then allowing access to it via a new route/Controller which before passing the response will validate some identifying information about the user.

Answer 2

It's not any more unsafe that using the value of auto increment id from MySql. It's not a security breach in any way.