ANSWERS: 2
-
For the best security, both pages should be secure. Depending on what language you're using to process the logins, you can probably verify that the user is on and came from your secured pages (in PHP there's a variable to check for it).
-
You need for the login page itself to be available only via https (ssl secured). The whole point of this is to create a secure encrypted tunnel to pass the username and password across. If the login page is not ssl secured and passes the login/pass data to another page then anyone in the right spot on the network who is sniffing traffic will have the unencrypted user/pass. You can create a self signed ssl certificate if you want to avoid the expense of purchasing a cert from someone like verisign or geotrust, however, every time a visitor comes to the page with the self signed cert they will be presented with a dialog box from their browser stating that the cert is not from a trusted authority.
Copyright 2023, Wired Ivy, LLC