After login, should all pages be https?

Question

This will be a bit difficult to explain but I will try my best.

There is a website that has the login form on every page with username/password fields. These pages are not using SSL. After the user fills in the username/password and submits the form, the form is sent to an authentication page which is https.

I have a few questions about this situation.

1. When submitting a form to an https page, is the data encrypted? Or only after going from an https page (I assume only going from)?
2. If the answer to number one is the ladder, does this mean I would need to use https for all pages because the login form is being redirected from there?
3. After a user is authenticated using https, can the user be redirected back to http and continue using session data? Or should the user remain in https?
4. Is it better/worse to leave the user in https?

Thanks a lot for any help!
Metropolis

CONCLUSION

Ok, so after thinking about this for awhile I have decided to just make the whole thing https. @Mathew + @Rook, your answers were both great and I think you both make great points. If I was in a different situation I may have done this differently, but here are my reasons for making the whole thing https.

1. It will be easier to control the page requests, since I only have to stay in https.
2. Im not overly concerned with the performace (in another situation I may have been)
3. I will not need to wonder if the users data is being secured in all places
4. I will be following the OWASP guideline as Rook stated

Answer 1

According to The OWASP top 10 at no point can an authenticated session id be used over HTTP. So you create a session over HTTP and then that session becomes authenticated, then you have violated The OWASP Top 10 and you are allowing your users to be susceptible to attack.

I recommend setting the secure flag on your cookie. This is a terrible name for this feature but it forces cookies to be https only. This shouldn't be confused with "Httponly cookies", which is a different flag that is helpful at mitigating the impact from xss.

To make sure your users are safe I would force the use of HTTPS all of the time. ssl is a very lightweight protocol, if you run into resource problems, then consider chaining your https policies.

Answer 2

1. Yes. If the action URL is https, the form data is encrypted.
2. Because of #1 you don't have to make the page https, but you may get mixed content warnings. And of course, a man-in-the-middle attacker could manipulate the login page to point to a different action URL.
3. This is a decision for you to make. Clearly, any data transmitted over HTTP, whether cookies (including session cookies) or user data, can be intercepted and manipulated.
4. Again, this is a trade-off based on performance and security.

Answer 3

In addition to what The Rook says, submitting a form from http to https is a risk for a couple of reasons:

1. There is no "lock" icon on the page where people type in their username and password, so they have no way of knowing that their details are encrypted (except by "trusting you")
2. If someone hijacked your page, your users would have no way to know that they're about to type in their username and password and be redirected to a malicious page (this is somewhat of a corollary to #1).

This is a much simpler attack than http cookie interception, so it's actually an even bigger risk...

But The Rook's point is important: you should never mix http and https traffic. On our websites, as soon as you're logged in, everything is https from that point on.

Answer 4

Apart from the previous answers, since people tend to want to go from HTTPS to HTTP for performance reasons, this article about HTTPS at Google might be of interest. Its main message is:

SSL/TLS is not computationally expensive any more.