0

I was watching on Mongodb ObjectId object. It seems to be non-safe object to expose to my client (even its his own SessionId). Though im using the following code to generate random ObjectIds:

var timestamp = DateTime.UtcNow;
        var machine = _random.Next(10000, 75757575);
        var pid = (short)_random.Next(10000, 75757575);
        var increment = _random.Next(10000, 75757575);

        return new ObjectId(timestamp, machine, pid, increment);

I get sequential ids sometimes and I dont want the user to be able to guess 1 million ids and finally catches a real one.

Is there any way to still use mongodb on c# and maintain a secure id? Now, some say "use https", but that's not the issue. Someone can log into the web, get a sessionId of type ObjectId and try to guess.

How can I reduce the likelyhood of something like that to happen?

Ori Refael
  • 2,888
  • 3
  • 37
  • 68

1 Answers1

1

If you have any sensitive information stored in the DB, you should apply some ACL rules in your application to decide whether user can retrieve data by objectId or not.

Alex Blex
  • 34,704
  • 7
  • 48
  • 75
  • Can you give a simple example of an ACL rule if im using the ObjectId as a user token for requests from client to server? – Ori Refael Feb 18 '16 at 17:42
  • Oh, I see. So you are using ObjectId to **identify** user. Don't do that. Issue a **random session token** on login for this purposes. – Alex Blex Feb 18 '16 at 18:09
  • Yeah of course. I AM using this. The session is alive for a month of inactivity basically.. If user is returning after a month it is replaced.maybe ill change it to be replaced every month regardless.. without extensions. But still, is it enough? The code i attached is what creating the random sessions id. Is the ObjectId playing a safe roll here? – Ori Refael Feb 18 '16 at 19:03
  • No, ObjectId does not add any security. Why not to use standard crypto library? Something like https://msdn.microsoft.com/en-us/library/system.security.cryptography.randomnumbergenerator(v=vs.110).aspx. Especially considering extremely long ttl. – Alex Blex Feb 18 '16 at 21:01
  • Ill do that. Thought of it too, just wondered if string processing within each request is right and not wasteful – Ori Refael Feb 18 '16 at 21:31