Wow.... man, just wow... Thank you so much for bringing this up, I just, just simply can't grasp my mind around the fact that SE let this slip thru their fingers, this is like the most basic rule of security... you just can't have a session ID not expiring like that... granted, for easy use some websites allow you to keep your old session ID but these are exceptions.
And I really hope SE gets into fixing this ASAP, I personally don't like the launcher but it works, anyway....

BTW! For anyone who reads this, just know this is NOT an issue with the tokens, but it's rooted deeper into the game system, it renders tokens useless as you can easily bypass them.

Also, just saying, like the guy with the very long post said, more than likely, any form of malware infection targetted for SE/FFXIV will come from enviroments around SE/FFXIV so yeah.. HamHam, we can't ban the very own internet's reason to be (aside from the CIA spying on us all @.@ lol jkjk for those paranoids out there)