.net - How do I encrypt session data into a token to authorize subsequent web service calls? -

i have web service needs protected unauthorized users. need expose web service operation authorize user, based on username , password. response user validation request should contain security token. security token contains embedded user properties client applicatino can use, when encrypted, used authenticate subsequent web service operations. unencrypted token looks this:

uid=444; dte=2012-06-01t14:01:54.9571247z; gid=1; wid=00:1c:b3:04:85:11; sid=lit3py55t21z5v55vlm25s55; 

i can use symmetric key algorithm key can shared secret between client , server (i control both). have implemented following rijndael example using sha1 , key size of 256.

this code often quoted across internet, microsoft themselves, state in relation rijndael:

the rijndael class predecessor of aes algorithm. should use aes algorithm instead of rijndael. more information, see entry the differences between rijndael , aes in .net security blog.

are there security concerns should have? if so, how change example code, or can provide better, more secure example?

finally, alternative, considering using windows azure access control service issue security tokens against own identity provider, , using token user account data separate call. since application running in azure, better implementation? share experience of using acs such architecture?

btw: client application ios 5.

instead of building use formsauthentication.encrypt method. method encrypt , sign formsauthenticationticket (this 'ticket' can contain username additional information). signing ticket prevents tampering (this based on machine key).

the encrypted ticket string send mobile device. then, each other request send token , decrypt server side. that's authentication part.

now, if want send encrypted data client suggest transfer data on https (the same applies token).

reference: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.encrypt.aspx