storing connection string in session

[Shyam]

Hi,

I wanted some advice on the following. All the users who log in to the
system are created in the SQL Server. As I am not keen to store any user
information on the web.config file for security considerations and I need to
use SQL logins for each user, I decided to create a class CurrentUserClass
(some what similar to the TTUser class in microsoft's ASP.NET sample Time
Track application) with properties like Name, First Name, LastName, Role,
Password, Display Name etc but in addition also a function that returns
connection string (all encrypted. Once the user is authenticated (via forms
authentication) I just create a new instance of the user class and store it
encrypted in the session. The name of my server and database are encrypted
and stored in my web.config file.

eg.
Dim myUser as New CurrentUserClass(UserName, Password, ....)
Session("CurrentUser") = myUser

myUser.ConnectionString will return the connection string picking &
decrypting the server and database information from the web config file

I use this Session all across wherever I need to make connections. Is this a
safe method ? Please advice.

Thankyou very much in advance and best wishes.

Regards,

Shyam

 

[William F. Robertson, Jr.]

You do realize this type of connection string has very, very poor
scalibility. You are not receiving any benefits of connection pooling and
will continue to chew up resources on the Sql server based on the number of
users.

But having said that. I don't really see any problem with storing the
connection information as a session variable for the user.

bill

ps. I haven't heard of any problems with the security of the web.config
file as long as security is configured properly.