[eluser]WanWizard[/eluser]
Not if you also take the other measures into account. So NO user data in the cookie (then there are no credentials to steal), and encrypt the cookie (so it's contents, the control measures like IP address can not be altered).
And yes, HTTPS server side does cost CPU. What do you think takes care of all encryption (which is a mathematical algoritm)?
Whether or not it is significant, depends on your site, your server, and the number of page requests the server has to serve.
Note, the firesheep trick is just one of the many ways of getting access to your site. CSRF is also very easy to implement, especially if you can position yourself as man-in-the-middle (which is everywhere you can use firesheep).
