Single Signon cookie encryption - industry standard/best practice?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

We are implementing a single signon solution that involves storing an
encrypted cookie with the user's username as an access token. We'd
like to make sure the cookie can't be used in a replay attack & so
plan to include the IP address in it as well.

2 Questions:

1. what is an accepted method of encryption for such a cookie? MD5?
Triple-DES? What are the issues to consider when selecting an
encryption algorithm?

2. is there an accepted standard of what to include in such a cookie?
Expiration time? Other things? We've seen the article at: , which talks about a MAC (MAC =
MD5("secret key " +
           MD5("session ID" + "issue date" +
               "expiration time" + "IP address" +
               "secret key")
) -- is that the industry standard, given it's an article from w3? Is
there another?


Site Timeline