I would argue that it's perfectly fine. My rationale is that PHP sends it in clear text and so does the browser when you use sessions. Here's what happens in the background when you make a web request:
> GET / HTTP/1.1
< HTTP/1.1 200 OK
< Date: Tue, 12 Jul 2011 07:00:26 GMT
< Server: Apache
< Set-Cookie: PHP_SESSID=2873fd75b29380bc9d775e43e41dc898; path=/; domain=example.com; secure
< P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
< Vary: Accept-Encoding
< Content-Length: 5538
< Content-Type: text/html; charset=UTF-8
As you can see, I made a GET request and the server response with
I'd recommend that you look at http://phpsec.org/projects/guide/4.html for some tips and information on session hijacking.