They rely on the Scheme random number generator which is seeded using the milliseconds of Unix epoch. Since PG regularly restarts the server it should be possible to get a window of time in which to test a succession of random number seeds. If you could hang around until the server was dead (say test every few seconds), then login and obtain a cookie you'd have enough to do a prediction of the server seed. You could then run the random number generator forward predicting cookie values and then run them by the server to see which ones are valid.
As people log in you'd be able to impersonate them. Assuming that an admin logged in while you were testing you'd be able to impersonate an administrator and have some fun on the site.