Why is https only used for login?

Question

Is performance the only issue? Can\'t an https connection be used throughout a user\'s session? There is obviously less redirection happening!

I found this related quest

Answer 1

Simply put, you use HTTPS to send over secure information. Thus, credit card information and passwords will use HTTPS to protect them. Compare it to an armored car used to bring prisoners from a county jail to State Prison. But once this information is at the right location, a simple token can be used to refer to the information without any further exposure. When you logon, the secure connection will generate a session ID which will be valid for 10, 20 minutes before it expires. While there's a risk that someone will capture this session ID, it's still not enough information to take over your information completely. The hacker would just have a short window to misuse that ID. Thus, there's less risk with sessions than with passwords. Same with credit card information. Once the site knows your credit card numbers, it can just ask you if you want to use card 1, card 2 or another one. It just assigns an ID to each card, which is generally just a number from 1 to the number of cards you have. If someone reads this, they know you're paying $49.95 with card 1. They still don't know anything more about this card, though.

Things that need to be secured, are send with armored cars or HTTPS. Anything else can just use any other kind of transportation.