In our web-based-solution (PHP)  the database credentials (username and password) are encrypted and stored by PHP as session-Variables.

Yes, there is the risk, they could be read by someone, who has access to the apache-sessions-directory, but this user also must have access to the php-scripts with the encrypt-functions to get the unencryption-keys and he must be able to work with these informations.

But I think, this solution is much more save then storing or comitting the credentials as clear-text in cookies, hidden formular-elements or as sessions.
But when you try to login to the database, somehow the credentials must be cleartext, so you can't get rid of this lack of security in my opinion.

By the way, this is an *intra*net-solution, and we don't have hackers in our staff, I hope...

Ludwig