First off, you should never store the user’s credentials in a cookie. It’s incredibly insecure. The password will be passed with every request as well as being stored in plain text on the user’s machine.
Second, don’t reinvent the wheel, especially when security is concerned, you’ll never get it right.
ASP.Net already provides this functionality securely with Forms Authenitcation and Membership Providers. You should take a look into that. Creating a default MVC project will include the basic authentication setup. The official MVC site has more.
Update
You can still use .NET forms authentication without implementing a membership provider. At a basic level it would work like this.
You enable forms authentication in you web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
You decorate the actions or the controllers you would like to secure with the [Authorize] attribute.
[Authorize]
public ViewResult Index() {
//you action logic here
}
Then create a basic login action
[HttpPost]
public ActionResult Login(LoginViewModel dto) {
//you authorisation logic here
if (userAutherised) {
//create the authentication ticket
var authTicket = new FormsAuthenticationTicket(
1,
userId, //user id
DateTime.Now,
DateTime.Now.AddMinutes(20), // expiry
rememberMe, //true to remember
"", //roles
"https://stackoverflow.com/"
);
//encrypt the ticket and add it to a cookie
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
Response.Cookies.Add(cookie);
return RedirectToAction("Index");
}
}