问题
I am making a session system for a Happstack server and I use mongoDB for persistent storage. I was wondering if the MongoDB ObjectIDs are safe for use as session IDs.
回答1:
Generally speaking, MongoDB ObjectIDs are globally unique, and therefore safe if collisions are your concern.
However, if you're talking about a session ID, the question really depends on if you are encrypting it client side and how. Typically the answers to those questions should be yes and as an encrypted cookie value opaque to the client. Usually any web server you are using will have utilities to help with this.
Again, if you are just trying to make sure you have a unique id, and want to use the object ID as a source, you're good.
回答2:
MongoDB ObjectID is exactly 12 bytes [1] long, whereas Session ID is probably implemented as 32 bytes [2] long. The difference is that an attacker is easier to guess your Session ID if it is MongoDB ObjectID, but your session security usually does not solely count on having a hard-to-guess session ID.
Nevertheless, there is idea recommending session ID should beat least 16 bytes long [3]. In this case, the vanilla MongoDB ObjectID is not safe for session ID.
[1]. https://godoc.org/labix.org/v2/mgo/bson#ObjectId [2]. https://astaxie.gitbooks.io/build-web-application-with-golang/content/en/06.2.html [3]. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
回答3:
Never use MongoDB ObjectID as session identifier!
It is very easy to guess and you are able to take over someone's session. You just have to wait untill someone logs in and easily brute his session id.
I have written about such vulnerability in this post: https://medium.com/securing/why-is-randomness-important-especially-in-the-world-of-cryptocurrencies-part-1-ebd3343c7b55
来源:https://stackoverflow.com/questions/37263985/mongodb-objectid-safe-for-session-id