Most secured way to persist data in ASP MVC

I'm using ASP MVC application + WCF service with custom session behavior implementation. Clients receive, store and use (for authorization) session tokens. Now I'm searching for most secured way to store session token at client side in ASP MVC.

I see few ways:

1. Hidden field. Drawback: user can open page source code and get token.
2. Route value. Drawback: token is actually open. User can get it from address bar.
3. Session. I've read a lot articles with one 开发者_JAVA百科conclusion: using Session in MVC application is a bad practice. But Session have a lot advantages as well: can be widely configured, can store token at server side, etc.

I'm sure there are some best practices for solving my problem. Any help will be appreciated.

Require HTTPS connections, encrypt secure data, place in cookie.

You could also pass the token around your site, encrypted of course via a hidden field or something but your scenario is actually what cookies are made to do.

My bank sets a cookie, they should be good enough for what you are doing.