2 quick/easy questions which are very subjective.
Our client has client/server database apps and wants to replace them with Intranet apps. Their security is primarily database roles. In order to keep their current security ( a requirement), I have created login page where the user selects from a list of servers, and inputs for their database userid/password. I encrypt the password using the standard class DESCryptoServiceProvider. I am going to store this user connection info(user id, encrypted password and password encrypt key, and database server) into an arrayList Session variable. Everytime I need to connect to the database, I get the database connection stored string(ConfigurationManager.ConnectionStrings), and replace the userid,password, and server with the arraylist user values.
In the the future, I am going to try to convince the client to store user profile info into a database table. Connect to the database with one user/password from ConfigurationManager.ConnectionStrings. But for now, I need to work with the current security in place
1. Is there, if any, dangers and pitfalls to my proposed solution. Or to put it in another way, is there a better way to handle this user info?
2. Session state is by Page and I cannot create a custom class to get/set session variables. Is there an elegant way to set the session variables in a class?
Thanks in advance for your input.
replace