sql server - Where to Store sensitive data/information -

i have two factor authentication system need store auto generated code , requested time in form storage retrieving later purpose. need know best way store these sensitive information.

i planning use session store sensitive information. when googled, in places people telling not recommended use session store sensitive information. can body explain why so.

any suggestion highly appreciated.

thanks

in user database fine, it's web app database should hidden end users (if managed).

the rest making sure actual application secure -- ie no sql injections, no buffer overflows, proper workflows pass through server side authentication engine etc.