Why does Google's OAuth2 documentation recommend storing a profile ID in a cookie?

Google's OAuth2 documentation for Go, titled "Authenticating Users with Go" and involving a bookshelf example application, suggests storing the profile information in a cookie. See, for instance, the profileFromSession() function, also visible in GitHub. That documentation says "Because the profile information is stored in the session, it can be retrieved by the application without fetching it again from the Google+ API". It stores the Google+ ID and DisplayName (via the plus.Person.ID and plus.Person.DisplayName).

But isn't that bad practice? Doesn't it make it easy for clients to fake the user profile, letting them access any user's data in your application by just putting a different user ID in the cookie?

When getting the profile from the cookie, it first checks if the token is valid, but that only checks locally if the token struct contains an access token and if it has expired, without any communication with Google's servers. Surely it would be possible for a client to construct a fake cookie with an arbitrary profile ID. The cookie is encrypted (see http://www.gorillatoolkit.org/pkg/sessions#NewCookieStore ), but only symmetrically, making the encryption key the only obstacle to this attack.

Google's equivalent Java OAuth2 documentation seems to do the same thing.

Have I misunderstood something? I can't believe that Google's documentation would recommend something so insecure.

The example uses HMAC to prevent cookie forgery.

More details: The example use Gorilla's securecookie package to access cookies. This securecookie package uses the crypto/hmac package to sign and verify cookies.

If the cookies are sent over a HTTPS, then a third party cannot steal a cookie.

The securecookie package's encryption feature plays no role in preventing forgery or theft of the cookies.