This will be a bit difficult to explain but I will try my best.

There is a website that has the login form on every page with username/password fields. These pages are not using SSL. After the user fills in the username/password and submits the form, the form is sent to an authentication page which is https.

I have a few questions about this situation.

1. When submitting a form to an https page, is the data encrypted? Or only after going from an https page (I assume only going from)?
2. If the answer to number one is the ladder, does this mean I would need to use https for all pages because the login form is being redirected from there?
3. After a user is authenticated using https, can the user be redirected back to http and continue using session data? Or should the user remain in https?
4. Is it better/worse to leave the user in https?

Thanks a lot for any help!
Metropolis

CONCLUSION

Ok, so after thinking about this for awhile I have decided to just make the whole thing https. @Mathew + @Rook, your answers were both great and I think you both make great points. If I was in a different situation I may have done this differently, but here are my reasons for making the whole thing https.

1. It will be easier to control the page requests, since I only have to stay in https.
2. Im not overly concerned with the performace (in another situation I may have been)
3. I will not need to wonder if the users data is being secured in all places
4. I will be following the OWASP guideline as Rook stated