Comments by Jason Henderson (Top 1 by date)

Generally, you would not store authentication info (email, pwds, etc) in session variables. You take that info, authenticate with it, and then create a token with their CSPID and other identity info which could include how to connect to the database. The token could be an encrypted JSON string or XML (when passing it around) that you can decrypt on the server side to easily get out the info you need.

As far as keeping the connection open, I think you need to figure that out by your needs. I would say close it for every query, but it you need it multiple times in the same page or server side code, then cache it if instantiating the connection is too slow. You could try connection pooling as well.