I am working in a ASP.NET MVC 5 application where I need two levels of security. Users log in the system and after that, they have the option to "log in" in a second subsystem (let's think a company branch) selecting one company branch from a list of company branches. This scenario is similar to have a GitHub account with some repositories. First, you log in GitHub and then you select the repository to work on it. I don't want to pass the branch id/name as an url parameter, I want to create a cookie to store branch basic data such as id and name. I am creating a cookie (using HttpCookie) with company branch data. My question is what is the best way to create (and encrypt) this second cookie to identify the selected company branch?
Use roles to manage access to the different branches. The dropdown list shouldn't even show the branch if the user doesn't have access to it in the first place, and the controller action for the branch page should be decorated with an [Authorize] attribute. Then it's fine if you leave the branch ID or whatever in the URL. An unauthorized user wouldn't be able to view it if they changed it anyway. http://www.asp.net/web-pages/overview/security/16-adding-security-and-membership