I need to build my connection string on the fly to my sql db in order to use the user's username and pw. How can I securely store this string with the username and pw to be used when pulling recordsets on other pages? I read session variables are bad to use on the server and I don't want to store it client side unless I have to. It needs to be secure but not encrypted secure. Is there any way to do this?

Thanks,
Dia

Pass it as a hidden value in a form field?

For security reasons you should use Session variables, the other options like cookies or hidden form fields will cause the user id and password to be sent back and forth from the browser and will be visible to anyone watching the wire or show up in log files.

Session variables have their problems but as long as your application isn't excessively busy they aren't that big of a problem.

Another option is to upgrade the application to .NET, they overhead of keeping session state information was dropped dramatically.