I am going to risk this as an answer because I can’t really see the need for what you describe:

1. If the connection string is already encrypted in the web.config *_you_don’t_need_to_decrypt_it* when the application starts, you just decrypt it every time you instantiate a database connection. Believe me, the performance of decrypting the connection string is negligible even if you do it every time you open a connection. But assuming you are a performance freak and you only want to decrypt it once and put in Session (bad idea, but it appears that that’s what you are doing), there’s nothing to worry about as I will explain in point 3 below.

2. Supposing that you decrypt it once (Application_Start, what have you), why do you say that you need to encrypt it again before application closes - by whatever way - either normal close or application error.? The connection string is not transferred over the wire, it’s something that it’s used on the server side in order to instantiate a connection to the database but it is not something that someone can see by using the application, unless of course, you store it in ViewState but that would be very silly.

3. You mentioned that you store something in Session although is not 100% clear whether you are referring to the connection string or something else. Assuming it is the connection string (again, I can’t think of a valid reason for this. I apologize if there’s one.) it’s not something that any user can see since Session is nothing but memory bytes on the server. The same applies for Cache.

So, that’s that.

You decrypt the connection string, instantiate your connection, do your thing and close the connection. The connection string can stay encrypted in web.config for ever; untouched.

UPDATE

Since the OP is using the Membership provider, the solution is to implement your own Membership provider. You can download a sample project demonstrating how to do this from Microsoft at the following link: http://download.microsoft.com/download/a/b/3/ab3c284b-dc9a-473d-b7e3-33bacfcc8e98/ProviderToolkitSamples.msi

Look at the SQLConnectionHelper.cs class.

Here’s another post doing pretty much exactly what you need.

UPDATE 2

Here’s another way to do the same thing using Reflection. Call it a hack, but it seems to do the job:

Inside Application_PreRequestHandler in Global.asax call this method, where connectionString is your connection string already decrypted:

private void SetProviderConnectionString(string connectionString)
{
// Set private property of Membership, Role and Profile providers. Do not try this at home!!
var connectionStringField = Membership.Provider.GetType().GetField("_sqlConnectionString", BindingFlags.Instance | BindingFlags.NonPublic);
            if (connectionStringField != null)
                connectionStringField.SetValue(Membership.Provider, connectionString);

            var roleField = Roles.Provider.GetType().GetField("_sqlConnectionString", BindingFlags.Instance | BindingFlags.NonPublic);
            if (roleField != null)
                roleField.SetValue(Roles.Provider, connectionString);

            var profileField = ProfileManager.Provider.GetType().GetField("_sqlConnectionString", BindingFlags.Instance | BindingFlags.NonPublic);
            if (profileField != null)
                profileField.SetValue(ProfileManager.Provider, connectionString);
}

Source.