Problem: Users who forget to click the "Done" button or close the browser before leaving.

Solution 1: Throw away cookies as soon as the user leaves the domain. 
  Problem: Not all webmail links open in a new window.

Solution 2: Remember a hash of their webmail password and require them to re-enter it to continue to use their cookie.  With this approach, only cookies on password-protected sites are protected.
  Problem: How would you make the dialog not spoofable?