The Yesod book says

The encryption prevents the user from inspecting the data, and the signature ensures that the session can be neither hijacked nor tampered with.

It's not clear to me why this is the case. If an eavesdropper gets hold of the cookie as it is sent from the server and uses it before the legitimate user makes another request, won't the session end up being hijacked?

It seems to me that the only way to really prevent session hijacking is to use SSL throughout. But if I do so then the signing and encryption done by Yesod ends up being unnecessary overhead (EDIT: overhead as far as preventing hijacking is concerned. As @sr_ points out in the comments, it is still useful otherwise).