I've encountered few posts about a security expert claiming he can easily steal gmail sessions. Very interesting and frightening, eh?
A little more reading reveals that he just got the Session ID by sniffing an unencrypted WiFi network. Same thing can probably be done on any non-ssl web application. I wonder how this boring and misleading article got even into Slashdot.