MongoDB:“公开"使用文档ID是否安全? [英] MongoDB: is it safe to use document's ID "in public"?

问题描述

我真的很喜欢MongoDB的自动生成的ID.它们真的很有用.

I really like MongoDB's automatically generated ids. They are really useful.

但是，公开使用它们可以省钱吗?

However, is it save to use them publicly?

让我们说有一个帖子集合，/posts页面带有id参数(类似于/posts/4d901acd8df94c1fe600009b之类)并显示有关该信息的信息.

Let's say there is a posts collection, and the /posts page that takes id paramater (something like /posts/4d901acd8df94c1fe600009b) and displays info about it.

通过这种方式，用户/黑客将知道文档的真实对象ID.可以吗?还是不安全?

This way the user/hacker will know the real object id of the document. Is it okay or is it not secure?

谢谢

推荐答案

ObjectID文档指出，自动生成的ID包括3字节的机器ID(可能是MAC地址的哈希).有人可以通过比较不同ID中的这三个字节来了解您内部网络的情况，这是不可想象的，但是除非您正在为五角大楼工作，否则这似乎并不值得担心(您很容易受到攻击)更无聊的事情，例如配置错误的Apache).

The ObjectID documentation states that the automatically generated IDs include a 3-byte machine ID (presumably a hash of the MAC address). It's not inconceivable that someone could figure out things about your internal network by comparing those three bytes in various ids, but unless you're working for the Pentagon that doesn't seem worth worrying about (you're much more likely to be vulnerable to something more boring like a misconfigured Apache).

除此之外，Epcylon的权利；通过URL公开ID并没有天生的不安全感.当然，是否丑陋是另一回事.您可以使用base64使它们变短(自己考虑一下)，但是奇怪的是它们都差不多一半.

Other than that, Epcylon's right; there's nothing inherently insecure about exposing ids through URLs. Whether it's ugly is another matter, of course. You can base64 them to make them shorter (been thinking about this myself), but then there's the weird fact that they're all about half the same.

这篇关于MongoDB:“公开"使用文档ID是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！