Terror Factor

On wired networks or wpa enterprise networks you need to do a mitm first. WiFi networks work like a hub, everyone receives the traffic(you can't direct those radiowaves to every client individually), so on open networks you can get those cookies(and all other traffic of course!), on WEP networks you can do the same if you know/crack the password, and on WPA networks you can do the same if you know/crack the password AND capture the handshake of the user(s) who you are trying to sniff. The cookie itself is just sent in plain text(you can verify this with wireshark), so if you can see the traffic, you can see the cookie.

Would be the most logical approach, but if that's the case, wouldn't it be relatively easy to ignore all arp reply that are broadcasts, since they aren't used(?) normally? It's of course easily circumvented, but it would be better than nothing and would make mass arpspoofing a bit more difficult/slower.

Wow guys, way to go on not responding the TS's question. Did you even read it? :/ @TS: The router only responds if it is asked, so it won't compete with the spoofing machine. Also, an ARP-reply is normally a unicast(=to one host only) (I'm not sure if the reply is sent as multiple unicasts or a broadcast if you are poisoning a subnet. Can someone fill me in?), so only if that one specific machine is doing an arp-request, the router will answer to that machine. I think this also answers your second question. Distance does not matter and the router won't be competing :)