Login, at least, should happen over SSL. Ideally the session cookie should be "secure", meaning https only, and a second insecure cookie should merely flag the existence of the secure one, prompting a redirect onto https (for as long as the user is logged in).
Login, at least, should happen over SSL. Ideally the session cookie should be "secure", meaning https only, and a second insecure cookie should merely flag the existence of the secure one, prompting a redirect onto https (for as long as the user is logged in).