Edit 5 years later
Use OAuth2!
Previous version
No, there is absolutely no need to use a cookie. It’s not half as secure as HTTP Digest, OAuth or Amazon’s AWS (which is not hard to copy).
The way you should look at a cookie is that it’s an authentication token as much as Basic/Digest/OAuth/whichever would be, but less appropriate.
However, I don’t feel using a cookie goes against RESTful principles per se, as long as the contents of the session cookie does not influence the contents of the resource you’re returning from the server.
Cookies are evil, stop using them.