First of all, the server would need to keep a lot of state to prevent replay attacks. Second, attackers can still sniff connections and obtain a great deal of personal information. It'd be less effort to just bite the bullet and use SSL, which has many advantages besides preventing session hijacking. SSL isn't even all that bad for performance if configured properly.
It's really amazing to watch people jump through intellectual hoops to justify not protecting their users with SSL.