How important is it to keep OAuth's access token secret?

Once I receive my access token for a site (say facebook) using OAuth, how开发者_运维技巧 important is it to keep this secret? Could anything malicious happen if someone got a hold of one?

I was wondering if it would be a bad idea to save the token in a cookie or session.

Yes, the access token is equivalent to your username/password. Most implementations will expire the access token after a time but while it is still valid it must be kept a secret.

Update: if you are having the user connect with the javascript sdk, the user id and access tokens are already be stored in cookies for your site. Check the http cookies being sent. If they are not, check the FB.Init documentation, as FB.Init has a cookies boolean parameter you can set so that it will create a cookie for you named fbs_{APPID}. This post talks about that cookie.