However you do it, you'll end up varying your connection string based on user input. Don't use user input directly, but validate it against a list of acceptable values. I suggest a Select Case statement to do this:
' Do this when logging in: '
Dim companyName
companyName = Request.Form("companyName")
Select Case companyName
Case "company1"
Session("companyDB") = "company1"
Case "company2"
Session("companyDB") = "company2"
Case Else
Session.Contents.Remove("companyDB")
' Invalid login! '
End Select
' Do this when connecting to the database: '
Dim connectionString
If Session("companyDB") Then
connectionString = "...database=" & Session("companyDB") & "..."
Else
' Invalid login, go log in again '
End If
Keep in mind that this will lead to trouble if you have users who will want to open one company in one tab and another company in another tab. They are going to wonder why they can only see information for the company they logged into most recently.
If this is going to be an issue, you will probably want to pass a token around in the query string on each link. This adds complexity, but not terribly much (aside from the tedious task of changing every link). It would then look like this:
' Do this when logging in: '
Dim companyName
companyName = Request.Form("companyName")
Select Case companyName
Case "company1"
Session("company1 - db") = "company1DBName"
Case "company2"
Session("company2 - db") = "company2DBName"
Case Else
' Invalid login! '
End Select
' Do this when connecting to the database: '
Dim connectionString, companyToken
companyToken = Request("companyToken")
If Session(companyToken & " - db") Then
connectionString = "...database=" & Session(companyToken & " - db") & "..."
Else
' Invalid login, go log in again
End If
This assumes that the token will be the same as the company name, for simplicity. So, for instance, somebody will log in for "company1." Having done so successfully, they get a session variable called "company1 - db", which contains the name of the database (in this case, "company1DBName").
Now, every link they follow should have a query string, like "?companyToken=company1" So, when you are connecting to the database, you take that token and use it to find the right database name: Session("company1" + " - db") = "company1DBName"
If they haven't logged in to that company yet (or if they just make up a company name), they won't have that session variable, and they have to go to the log in screen.
If they log in under two companies at once, you can now handle it because you'll be obtaining the database name on every link.
Make sense?
Whatever you do, do not use the user input to create the connection string directly. In other words, the following is the wrong way:
Dim connectionString
connectionString = "...database=" & Request.Form("companyDB") & "..."
Good luck!