No, the attack is against SSL and Man-in-the-Middle. They just make the browser send SSL requests with those cookies, and then guess the cookie (sent inside the SSL session).