Login Page

I have seen sites where the login page are under http and on others under https. As I understood it, its where the login page is under https that the login info is secured. On those that are under http they are redirected to https only after clicking the submit button.

Does that mean that under http the login info are not encrypted? And the site is only secure after the logon.Yes. On pages with https://, your information is encrypted and sent. On http://, it's plain.
Hi Mendhak,

Yep, so my concern really is when to put the login under https and when to under http. So is it safe to say that logins should be under https whenever there is an intention of going to https after login?

good: login (https) -> submit -> remain under https

not good: login (http) -> submit -> https

Does this depend on the architecure of the site? Or as a best practice always start with https://login... rather than http://login and then redirect to https?
For a normal login to a forum or something like that, security isn't a huge deal. To get a site secure, you need to get ahold of an SSL certificate for the site, and set up the secure port on the server. When a secure page is accessed, it will automatically jump to the new port and url's will be https://. But if you're using the membership class, passwords get hashed before sent anyway.
Yeah I wouldn't use it for a forum, but I'd use it on all pages for any authenticated pages of a banking or e-commerce website.

You can find lots of good examples by having a look at www.amazon.com, www.ebay.com, www.hotmail.com

So yeah, it depends on the architecture and nature of the website.