I have a web service that needs to be protected from unauthorized users. I need to expose a web service operation to Authorize a user, based on username and password. The response to the user validation request should contain a security token. That security token contains some embedded user properties that the client applicatino can use, but when encrypted, will also be used to authenticate subsequent web service operations. The unencrypted token looks something like this:

UID=444; DTE=2012-06-01T14:01:54.9571247Z; GID=1; WID=00:1C:B3:04:85:11; SID=lit3py55t21z5v55vlm25s55;

I can use a symmetric key algorithm as the key can be a shared secret between client and server (I control both). I have implemented the following Rijndael example using SHA1 and a key size of 256.

This code is often quoted across the internet, but Microsoft themselves, state in relation to Rijndael:

The Rijndael class is the predecessor of the Aes algorithm. You should
use the Aes algorithm instead of Rijndael. For more information, see
the entry The Differences Between Rijndael and AES in the .NET
Security blog.

Are there any security concerns I should have? If so, how would you change the example code, or can anyone provide a better, more secure example?

Finally, as an alternative, I am considering using Windows Azure Access Control Service to issue security tokens against my own identity provider, and using that token to get user account data as a separate call. Since the application is running in Azure, would this be a better implementation? Would anyone like to share their experience of using ACS for such an architecture?

BTW: The client application is iOS 5.