I’m using GData’s AuthSub so that my administrative application doesn’t need to store user/password information. I just came to the point in the documentation where I learned how to exchange the first, single-use token, for a session token (http://code.google.com/apis/accounts/docs/AuthSub.html#AuthSubSessionToken). And then this statement jumped out at me:
You can ignore the expiration date, which is not currently used; session tokens effectively do not expire.
Would someone care to explain how a non-expiring token is not a security issue? What does “effectively not expire” really mean? Theoretically if a malicious application manages to obtain one of these tokens, can it continue to use it regardless of password changes? Is it possible to see what session tokens have currently been issued on a Google account?
In short, my paranoia has taken hold, and I need a big smart person to comfort me!
EDIT: You can manually revoke tokens at https://www.google.com/accounts/IssuedAuthSubTokens
Yes, in fact if a session token never expires it is a vulnerability is recognized by CWE-384 , If the session takes a really long time to expire then it is a violation of CWE-613. Both CWE pages give a great explanation of the vulnerability. I do not know the specifics to this applications, but normally a Session token can be used to immediately authenticate without need for the username/password.