Must logins be a https page

Question

Several security experts have said in the past that the login page should be on ssl https. So what if my login is a block that's displayed on all pages. Does that mean that my entire website has to be https?

I read it's possible to put the form on http but post it to https, but I read someone saying that it can be exploited with a man in the middle attack. Can someone confirm this? I have a 100 point bounty for someone who can confirm this (and help me with a practical answer how to securely solve this). My login form is on every page, do I need to make the whole website on https? Please feel free to question anything I said here. They're only things I read but don't have experience with and didn't try it myself.

Edit: to those who asked, when I was posting the question, I tried setting the bounty but the system wouldn't let me. I checked the FAQ and saw that bounty can be posted after 2 days from posting the question. That's why you see no bounty yet. But I will not select an answer until I set a bounty in 2 days. Sorry for any confusion.

Answer 1

I read it's possible to put the form on http but post it to https, but I read someone saying that it can be exploited with a man in the middle attack. Can someone confirm this?

Yes. The form is served up over HTTP, so a man in the middle could inject changes to it (e.g. so it sends credentials to their own server before the form submits).

a practical answer how to securely solve this

If security really matters — use HTTPS for the entire site. Even after the password has been sent, if you go back to HTTP then the cookie can be stolen (see Firesheep)

If security doesn't matter that much, then don't put the login form on every page. Just have a link to a login page instead.