VolkerK is right, but his response errs on the side of caution. The session can be compromised by all sorts of methods. There are ways around this (e.g. using a cached javascript client side to generate hashes against a fixed salt of a challenge generated with each page) but they are messy. By far the simplest solution is to always use SSL. However you might consider using digest authentication combined with a session cookie.
Tor Valamo is wrong. These days bandwidth is very cheap, however what is difficult to achieve is eliminating latency - and latency is the primary determinant of HTTP transfer speed (where most of the content is relatively small). For an HTTP request, there are at least 2 round trips to the server - the TCP handshake then the Request/reply. It will vary depending on the size of files and other considerations, but typically the round trip latency accounts for 50-70% of the elapsed time taken to fetch an object.
Using Keep-alives eliminates one of the round trips and therefore improves throughput greatly.
With SSL, there is at least one additional round trip required (for resumption of an existing SSL session) and more than one for initial SSL negotiation. The real killer is that Microsoft's non-standard implementation of SSL means that you can't use keep-alives from anything other than MSIIS when talking to an MSIE client (see the mod_ssl docs for more info).