Still new on the ASP.NET as you know... I'm working with a database that generally is read-only to 99% of the visitors, then there is the 1% of people who can change the records. What I've been doing is having a secret page where they can enter the username and password to the SqlLogin that has db_datareader/db_datawriter permissions and trying to open and close the connection. If it doesn't open I tell them they entered a wrong user name or password, if it is does, I transfer them back to the home page with session variables set with the username and password. All the other pages look at these session variables and if they are set the application uses that to connect to the database, if not is uses the default (db_datareader only) that is hard-coded into the code page. How unsecure is this? I think you see what I'm trying to do, what is the correct method?