I think the best way is how ASP.NET handles this.
ASP.NET actually encrypts the viewstate into
SHA1(by default) for tamper proffing, which you can easily configure to 3DES, MD5 or AES based on your requirement. After it applies encryption, it then Converts it to Base64 stream and embeds into the body.
You might also use any encryption and convert it to Base64.
For Url's It is better to use
HttpUtility.UrlEncode(url) before doing redirection.
Hope you will like the solution.