Hi there.

I have an asp.net site using SQL Server.

Currently the way I have it set up is that once the user logs in, for any page they wish to access, they are redirected to that aspx site with a QS parameter (Query String) which contains their userID but it is encrypted and only the application can decrypt it.

when the application decrypts it for the userID... it queries SQL to see what the username is, so it can be displayed in a welcome message on each page or for whatever reason....

however, would this be costly? (performance and bandwidth? performance seems fine anyway....)

how would I be able to store a unique session ID? This is so that the user cannot click on a link in their browser which has a page with the userID encrypted querystring... invalid way of logging on really.

What is the best way of storing a unique session ID and along with it for that session ID, some values. This is so that it does not query SQL for the values everytime (userid, username) for every page or whatever.

Thank-you