gmail doesn't have to use cookies. The "remember me" checkbox will do this, but without it, I don't think it uses cookies. This tool hijacks the session by looking for the session ids in the requests, from what I understand. It's unlikely that it's anything fancy, but it's irrelevant. This thread is saying "turn on always over https" not "omg look at these sweet hax".