/    Sign up×
Community /Pin to ProfileBookmark

Security and performance issues of web app. in a multi-tenant (multi- users) environm

Copy linkTweet thisAlerts:
Feb 10.2012

Hi guys, I have just launched a business web app built using codeigniter – [url]www.integrityinvoice.com[/url]. As this is my first web app and a critical business application I want to be sure that I block any obvious security holes.

  • 1.

    What are the security issues or better unobvious security holes of web app. in a multi-tenant (multi- users) environment ?

  • 2.

    I am currently hosting it on a shared hosting business account but intend to move it to a dedicated hosting once I get a handful users. When is the ideal time to move it to a dedicated environment? 100 , 500 users etc given that the app will be used by freelancers and small business owners to manage their invoicing and receipts needs regularly?

  • 3.

    Due to complexities of sub-domain and limitation of shared hosting environment, I decided to use one database for multi-tenant data architecture, just about every query uses a unique tenant ID, I haven’t seen any issues about non-isolation of data, however I have noticed that many enterprise web app use sub-domain. Is there any advantage with it and if so what is your advice on switching in the future without breaking the app?

  • 4.

    What is your advice on concurrent transactions or queries by different users at the same time given one database?

    • Thanks
    Adeniyi
    [url]www.integrityinvoice.com[/url]

    to post a comment
    PHP

    4 Comments(s)

    Copy linkTweet thisAlerts:
    @kristovaherFeb 10.2012 — Hey!

  • 1. This is one of the better 'short lists' for web developers that also includes sections about security.


  • 2. It's always good to move to final/live environment as early as possible. There are always complications when changing the environment and it is better to deal with them early rather than later.


  • 3. I don't understand the question, are you asking if you should have separate databases for different parts of the system? Or are you talking about tables?


  • 4. Use transactions if possible, especially when there might be some error half-way through and you need to reverse the decision. For example, if a user creates a new invoice and at the same time creates a new recipient, your program might create one object but not save another due to error. In this case it's better to reverse the decision. But if the system is rather straightforward then you should not worry about that too much.
    • Copy linkTweet thisAlerts:
    @eval_BadCode_Feb 12.2012 — 
  • 1. Your security is entirely dependant on the system administrator. This is a perfect question to ask them. In the mean time, I found this list to be very very very informative and insightful: http://www.viper-7.com/articles/tips/ as it isn't only dependant on your system admin. Before even considering what security measures they have in place, it would be wise to at harden your application. This is something they can't do for you, and it must be done.


  • 2. money is involved. The sooner the better IMO.


  • 3. I think you're looking for a problem to solve with subdomains. I don't see how this is relevant.


  • 4. I don't see any issue with concurrent transactions in this scenario. This is a very in-depth question and it depends almost entirely on what is going on with the transaction. Just remember, if it rolls back you can always try again.
    • Copy linkTweet thisAlerts:
    @NogDogFeb 12.2012 — As far as PHP security goes, a fairly short read: [i][url=http://phpsecurity.org/]Essential PHP Security[/url][/i] by Chris Shiflett.
    Copy linkTweet thisAlerts:
    @nebestpalauthorJan 23.2014 — Just want to say thank you for your inputs on this thread.
    ×

    Success!

    Help @nebestpal spread the word by sharing this article on Twitter...

    Tweet This
    Sign in
    Forgot password?
    Sign in with TwitchSign in with GithubCreate Account
    about: ({
    version: 0.1.9 BETA 5.18,
    whats_new: community page,
    up_next: more Davinci•003 tasks,
    coming_soon: events calendar,
    social: @webDeveloperHQ
    });

    legal: ({
    terms: of use,
    privacy: policy
    });
    changelog: (
    version: 0.1.9,
    notes: added community page

    version: 0.1.8,
    notes: added Davinci•003

    version: 0.1.7,
    notes: upvote answers to bounties

    version: 0.1.6,
    notes: article editor refresh
    )...
    recent_tips: (
    tipper: @AriseFacilitySolutions09,
    tipped: article
    amount: 1000 SATS,

    tipper: @Yussuf4331,
    tipped: article
    amount: 1000 SATS,

    tipper: @darkwebsites540,
    tipped: article
    amount: 10 SATS,
    )...