Security and performance issues of web app. in a multi-tenant (multi- users) environm
Hi guys, I have just launched a business web app built using codeigniter - www.integrityinvoice.com. As this is my first web app and a critical business application I want to be sure that I block any obvious security holes.
1. What are the security issues or better unobvious security holes of web app. in a multi-tenant (multi- users) environment ?
2. I am currently hosting it on a shared hosting business account but intend to move it to a dedicated hosting once I get a handful users. When is the ideal time to move it to a dedicated environment? 100 , 500 users etc given that the app will be used by freelancers and small business owners to manage their invoicing and receipts needs regularly?
3. Due to complexities of sub-domain and limitation of shared hosting environment, I decided to use one database for multi-tenant data architecture, just about every query uses a unique tenant ID, I haven't seen any issues about non-isolation of data, however I have noticed that many enterprise web app use sub-domain. Is there any advantage with it and if so what is your advice on switching in the future without breaking the app?
4. What is your advice on concurrent transactions or queries by different users at the same time given one database?
2. It's always good to move to final/live environment as early as possible. There are always complications when changing the environment and it is better to deal with them early rather than later.
3. I don't understand the question, are you asking if you should have separate databases for different parts of the system? Or are you talking about tables?
4. Use transactions if possible, especially when there might be some error half-way through and you need to reverse the decision. For example, if a user creates a new invoice and at the same time creates a new recipient, your program might create one object but not save another due to error. In this case it's better to reverse the decision. But if the system is rather straightforward then you should not worry about that too much.
1. Your security is entirely dependant on the system administrator. This is a perfect question to ask them. In the mean time, I found this list to be very very very informative and insightful: http://www.viper-7.com/articles/tips/ as it isn't only dependant on your system admin. Before even considering what security measures they have in place, it would be wise to at harden your application. This is something they can't do for you, and it must be done.
2. money is involved. The sooner the better IMO.
3. I think you're looking for a problem to solve with subdomains. I don't see how this is relevant.
4. I don't see any issue with concurrent transactions in this scenario. This is a very in-depth question and it depends almost entirely on what is going on with the transaction. Just remember, if it rolls back you can always try again.
I use (, ; : -) as I please- instead of learning the English language specification: I decided to learn Scheme and Java;