I would argue that it's perfectly fine. My rationale is that PHP sends it in clear text and so does the browser when you use sessions. Here's what happens in the background when you make a web request:
> GET / HTTP/1.1
Host: example.com
Accept: */*
< HTTP/1.1 200 OK
< Date: Tue, 12 Jul 2011 07:00:26 GMT
< Server: Apache
< Set-Cookie: PHP_SESSID=2873fd75b29380bc9d775e43e41dc898; path=/; domain=example.com; secure
< P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
< Vary: Accept-Encoding
< Content-Length: 5538
< Content-Type: text/html; charset=UTF-8
As you can see, I made a GET request and the server response with Set-Cookie: PHP_SESSID=
followed by my session ID. Anyone that's "sniffing" the request who would be able to see the session ID in the JavaScript would be able to get it from the headers too. The only thing to worry about would be things like malicious browser plugins and other exploits that are not likely but can be avoided by properly securing your code.
I'd recommend that you look at http://phpsec.org/projects/guide/4.html for some tips and information on session hijacking.