Forum OpenACS Q&A: Re: SSL pages forcing log in -- why?
Otherwise, how would we know to trust the authentication?
The solution should be, that if you're having some pages be over SSL, you should make sure that login is over SSL as well.
There's an acs-kernel parameter to do this.
If this is not working as advertised here, please file a bug.