Perhaps a nit, BUT … the pages on which the username and
login feels are displayed and into which the user types
their information DO NOT need to be https. (They should be,
but it’s purely for psychological reasons.) It’s the pages
that are *then* referenced by the input form’s action that
*must* be https. Sadly it’s frequently not at all easy to
tell if they are even if the data entry page is https.

I have an article coming up on that shortly on Ask Leo! -
http://ask-leo.com/12587 will be accessible after 7/30/2008.

-Leo