MongoDB: is it safe to use document's ID “in public”?

Question

I really like MongoDB\'s automatically generated ids. They are really useful.

However, is it save to use them publicly?

Let\'s say there is a posts collecti

Answer 1

I thought mongodb _id was based on a datestamp, and sever address and other things you might prefer to keep private.

If you're worried it might be worth encrypting mongoids and using the result as a client-side identifier (and then un-encrypting when requests come back in).

If the encryption key is partially based on some unique attribute of the user or session in question, that makes it difficult for users to access content when they shouldn't.

Obviously still important to validate the user by other means!