This is a potential security vulnerability. Tokens issued by the Security API do not expire. This increases the chances if a token could be obtained through a man in the middle attack or through session hijacking that the stolen token could be used to impersonate the user.
Suggestion, assign expiration timestamps to tokens that is administrator configurable. Default setting should be about 15 minutes.