OK, I understand the concern about "phishing" but still believe it comes down to an issue of trust with the vendor. The application requires the same information that you would provide to access Azure SQL for example so obviously there is greater trust with Microsoft than an unknown vendor, I get that! Otherwise, it's not an issue specific to this application but to cloud/web services in general? Any time you put your data, application, whatever, on someone else's server (Microsoft, Google, Facebook, etc.) they have access to the content, no matter what encryption protects your data from everyone else since they know your credentials? Is it enough that you know the legal entity you are dealing with and they have a Privacy Policy?

That said, obviously the site IS protected with SSL and the cookie is NOT stored as a text file (I already said it is RSA encrypted), besides which storing the credentials is optional. Since the project was done to address an internal need, I also fully understand that it is more appealing as an internal solution than an external one so I'd be happy to release a compiled version that could be hosted on the client's own servers as seems to be the general suggestion? As I said, I was previously looking to see if anyone else had already developed such and application and only found similar questions, no answers...

For Lowell and Sean, if you do want to test the application further, I have set up a Guest login and a test database that you can use without fear of phishing! Just PM me and I will give you the info as I really do appreciate the constructive criticism. Otherwise, the encrypted site is now up if you want to take a look: esqlclient.azurewebsites.net