Is storing connection string in a session variable a good idea?

[booksnore]

I have an application where a have a single admin database and multiple
customer databases containing the customer's warehouse data. In the
admin database I hold a user table and also a client table which holds
the encrypted individual clients connection string to their database. At
the moment on every page of my web app I make a call to the admin
database to retrieve the connection string and then decrypt it (the
web.config holds the encrpyted connection string for the admin
database). I was wondering if it might be easier just to set a session
variable to the value of the decrpyted client connection string on login
and then on each page set a property for the client connection string to
the value of this session variable.
Do you think this is this a good idea or not?
Joe

 

[HK]

I say "not" because if anyone manages to upload a simple ASP page to your
website, they could have that ASP page iterate through all session variables
and display to the screen.

Also, you have the problem of potentially not maintaining session state on
100% of browsers, but that can be worked around fairly easily by just
calling your routine again if you don't have the answer in the session
variable.

You might consider a session variable that is encrypted well. Then you just
decrypt it on the fly in your code upon each use.