I have a login form that is hidden on every page and shows itself onClick when needed instead of setting off a new page request.
It has been brought to my attention that in order for a login to really be secure the form action should point to a https page but also the login form itself should be on a https page.
Is there a way I can make the pop up login form secure without making the whole site https?
Using an AJAX pop-up (or an iframe) that goes (in theory) to https:// on an http:// page presents two problems:
The 1st problem is related to this question (not specific to AJAX pop-ups, but for having the login page over plain HTTP, also discussed on Security.SE). This goes against this OWASP recommendation:
The login page and all subsequent authenticated pages must be exclusively accessed over TLS. The initial login page, referred to as the "login landing page", must be served over TLS. Failure to utilize TLS for the login landing page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location.
Essentially, a MITM could modify the page you use to server that login box to replace it with their own: the user wouldn't be able to notice the difference (at least until it's too late).
The 2nd problem is that it's actually a good thing to see you have connected (and also about to connect for the next step) to the website you want in the address bar. Anyone can have a valid https:// site: mybank.example.com and attackers.example.com could both have a valid certificate issued by a trusted authority.
If I connect to my bank, I want to know it's to my bank I'm connected over HTTPS. Sending credentials to a https:// site from a popup or an iframe hides the real target website.
This problem can also happen when the initial page is served over HTTPS, as unfortunately demonstrated by the 3-D Secure system (these people should know better, really!).
In short, don't use an iframe or a popup, and do serve the page where you present the login form over HTTPS.
Short of wrapping the entire site in a SSL protocol, the only other option for this would be to have the Pop-up form be an IFRAME that points to another page with the form that resides on an HTTPS connection.
If initial request is being served by HTTP and you are using same channel to provide "HTTPS" links/forms etc, attacker will simply change that HTTPS to HTTP.
This has been demonstrated by Firesheep
What you can do is to serve HTTPS form over HTTP but enable HTTP Strict Transport Security
Of course, I am assuming you are going to have link like https://login.site.com which will be served by http://www.site.com ... this way you have to create SSL certificate only for sub-site/ one virtual host
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 迷人小祖宗 的文章《Secure popup login possible?》','https://www.manongdao.com/article-255066.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}