Once I receive my access token for a site (say facebook) using OAuth, how important is it to keep this secret? Could anything malicious happen if someone got a hold of one?
I was wondering if it would be a bad idea to save the token in a cookie or session.
Update: if you are having the user connect with the javascript sdk, the user id and access tokens are already be stored in cookies for your site. Check the http cookies being sent. If they are not, check the FB.Init documentation, as FB.Init has a cookies boolean parameter you can set so that it will create a cookie for you named fbs_{APPID}. This post talks about that cookie.