With Gmail, all it takes is one request to almost any Google service to leak through a non http connection and they have your Auth cookie. Once they have that, they are you. And yes it is that easy, anyone can pull it off at Starbucks, hotels, even some ISPs.
Not speaking for Google, but in general, auth cookies (rather than identity cookies) will only be sent over HTTPS using the "Secure" cookie attribute. This is something done at the browser level, so short of using a very badly behaved browser or HTTP client, this is unlikely to happen.
Sorry for being so naive... does that cookie expire eventually? I have been using HTTPS everywhere on my machine, but if I log in to my Google account for YouTube, for example, from someone else's computer, how much data can they realistically download and how long would they have that ability?