After login, should all pages be https?

Question

This will be a bit difficult to explain but I will try my best.

There is a website that has the login form on every page with username/password fields. These pages a

Answer 1

In addition to what The Rook says, submitting a form from http to https is a risk for a couple of reasons:

1. There is no "lock" icon on the page where people type in their username and password, so they have no way of knowing that their details are encrypted (except by "trusting you")
2. If someone hijacked your page, your users would have no way to know that they're about to type in their username and password and be redirected to a malicious page (this is somewhat of a corollary to #1).

This is a much simpler attack than http cookie interception, so it's actually an even bigger risk...

But The Rook's point is important: you should never mix http and https traffic. On our websites, as soon as you're logged in, everything is https from that point on.