in this case i'm considering the username/password as well as the session key as credentials since they're both used to identify or authenticate the user. so they should not be sent as part of the URL in a GET request and not in the body of a POST request without using SSL. With SSL the message body will be encrypted so the data being sent/returned will not be susceptible to interception (under normal circumstances).
Well credentials would never be passed in the clear but you do have a good point about the possibility of replay attacks. The issue though is to what gain...even with secure authentication for each service, data is still passed as clear text which is susceptible to sniffing. The session key was to prevent each service from requiring access to a users credentials (in my opinion server side security is usually where most products screw things up). We could require the sessionKey to be passed over an https connection though, and after authentication the connection would drop back to standard security, unless its very personal data. Does that sound better?