469,623 Members | 1,683 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,623 developers. It's quick & easy.

storing connection string in session

Hi,

I wanted some advice on the following. All the users who log in to the
system are created in the SQL Server. As I am not keen to store any user
information on the web.config file for security considerations and I need to
use SQL logins for each user, I decided to create a class CurrentUserClass
(some what similar to the TTUser class in microsoft's ASP.NET sample Time
Track application) with properties like Name, First Name, LastName, Role,
Password, Display Name etc but in addition also a function that returns
connection string (all encrypted. Once the user is authenticated (via forms
authentication) I just create a new instance of the user class and store it
encrypted in the session. The name of my server and database are encrypted
and stored in my web.config file.

eg.
Dim myUser as New CurrentUserClass(UserName, Password, ....)
Session("CurrentUser") = myUser

myUser.ConnectionString will return the connection string picking &
decrypting the server and database information from the web config file

I use this Session all across wherever I need to make connections. Is this a
safe method ? Please advice.

Thankyou very much in advance and best wishes.

Regards,

Shyam
Nov 17 '05 #1
2 2190
You do realize this type of connection string has very, very poor
scalibility. You are not receiving any benefits of connection pooling and
will continue to chew up resources on the Sql server based on the number of
users.

But having said that. I don't really see any problem with storing the
connection information as a session variable for the user.

bill

ps. I haven't heard of any problems with the security of the web.config
file as long as security is configured properly.

"Shyam" <s_*****@hotmail.com> wrote in message
news:OE**************@TK2MSFTNGP12.phx.gbl...
Hi,

I wanted some advice on the following. All the users who log in to the
system are created in the SQL Server. As I am not keen to store any user
information on the web.config file for security considerations and I need to use SQL logins for each user, I decided to create a class CurrentUserClass
(some what similar to the TTUser class in microsoft's ASP.NET sample Time
Track application) with properties like Name, First Name, LastName, Role,
Password, Display Name etc but in addition also a function that returns
connection string (all encrypted. Once the user is authenticated (via forms authentication) I just create a new instance of the user class and store it encrypted in the session. The name of my server and database are encrypted
and stored in my web.config file.

eg.
Dim myUser as New CurrentUserClass(UserName, Password, ....)
Session("CurrentUser") = myUser

myUser.ConnectionString will return the connection string picking &
decrypting the server and database information from the web config file

I use this Session all across wherever I need to make connections. Is this a safe method ? Please advice.

Thankyou very much in advance and best wishes.

Regards,

Shyam

Nov 17 '05 #2
You do realize this type of connection string has very, very poor
scalibility. You are not receiving any benefits of connection pooling and
will continue to chew up resources on the Sql server based on the number of
users.

But having said that. I don't really see any problem with storing the
connection information as a session variable for the user.

bill

ps. I haven't heard of any problems with the security of the web.config
file as long as security is configured properly.

"Shyam" <s_*****@hotmail.com> wrote in message
news:OE**************@TK2MSFTNGP12.phx.gbl...
Hi,

I wanted some advice on the following. All the users who log in to the
system are created in the SQL Server. As I am not keen to store any user
information on the web.config file for security considerations and I need to use SQL logins for each user, I decided to create a class CurrentUserClass
(some what similar to the TTUser class in microsoft's ASP.NET sample Time
Track application) with properties like Name, First Name, LastName, Role,
Password, Display Name etc but in addition also a function that returns
connection string (all encrypted. Once the user is authenticated (via forms authentication) I just create a new instance of the user class and store it encrypted in the session. The name of my server and database are encrypted
and stored in my web.config file.

eg.
Dim myUser as New CurrentUserClass(UserName, Password, ....)
Session("CurrentUser") = myUser

myUser.ConnectionString will return the connection string picking &
decrypting the server and database information from the web config file

I use this Session all across wherever I need to make connections. Is this a safe method ? Please advice.

Thankyou very much in advance and best wishes.

Regards,

Shyam

Nov 17 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by Shyam | last post: by
2 posts views Thread by Curt tabor | last post: by
3 posts views Thread by Brad | last post: by
1 post views Thread by Abhijeet Kumar | last post: by
37 posts views Thread by sam44 | last post: by
reply views Thread by gheharukoh7 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.