Paul Ducklin at Sophos has published a very nice review article discussing why web applications which use SSL (encrypted) connections for login processing should use SSL throughout the application, and shouldn’t revert to unencrypted connections once the user has been logged in.
Perhaps the key point that he raises is that – in most cases – there’s really no reason NOT to use SSL. A few years ago, the computational overhead in SSL encryption was a problem but, with seemingly ever-increasing processing power available for relatively low cost, that’s not the case any more. This is something we’ve always believed at Cosaint, and all of our training portals use SSL throughout.
You can find the blog post here. If you’re involved in web application development in any way, it’s worth a few minutes of your time to read it.