You need to require SSL on every page that you want to control access to. If only the log-in page requires an SSL connection, an attacker does not need your user name and password. Drupal uses cookies for authentication. A cookie is sent with every page request, so observing any traffic at all enables an attacker to gain full control of your account.
On Jan 9, 2011, at 4:23 AM, FGM wrote: > You can configure your site to use https on pages where you want to login; > that way the auth information does not cross the net in clear form. It takes > some planning to do correctly, though, especially if you don't want the whole > site to be accessed over S-HTTP, for performance reasons.
