For a session to be secure all requests that carry the cookie need to be over HTTPS.
When going to https://twitter.com/ I noticed that (among dozens of others) it requests URL http://twitter.com/scribe?[...] (note HTTP, not HTTPS) which includes the session cookie.
Hence, it's sent plain-text, even if you go to https://twitter.com/