Stephen,

>Our main concern is that someone can use the connection string stored in app.config to gain access to the backend database without going through our application. If you can come up with a way to block that, I don't need application role. Keep in mind that I can't use Windows Authentication because not all users have domain.

First of all, you don't specify a user id and password in an end-user's config file. When they log in, MM .NET automatically inserts the ID and password into the connection string for you.

>Come back to my original question, can I switch the connection string after the user has been authenticated by a store procedure? How do I do that?

Again, if you have the connection string in the database, after a user has been authenticated, MM .NET plugs in the id and password for you. When using the MM .NET user login form, the authenticated user's ID and password are stored in the user manager's UserID and Password properties. These can be referenced like this:

mmAppBase.UserMgr.UserID
mmAppBase.UserMgr.Password

The code that automatically pulls this information out of these properties and inserts it in the connection string is found in mmDataBaseManager.GetConnectionString().