Comment 2 for bug 1447679

To explain more this issue, any user (even unauthenticated) who can get the right url ( host:6080/vnc_auto.html?token=ABCD) can access the console of the machine without the need of any additional information.
You may think that obtaining the right token is complex, but it s not he case, the taken is already present in the URL (which can be obtained browser history, network sniffing, review the web proxy used in the company, ...) as the token remains valid.
Besides this, using a sort token (compared to Session ID in Horizon) into an exposed service may affect the security of Openstack.