The default login_form for Plone calls the action logged_in as a straight function call, which doesn't force a secure https connection. To force a secure connection do the following:

• Login to your Plone instance in manage mode.
• Use the ``find'' tab at the top of the screen to search ``With Ids: login_form'' which will either point to an instance in the plone_skins/plone_forms or plone_skins/customer directories of your Plone instance.
• If there's only one instance of login_form on your Plone site, click on it at the top of the find window, then click on the ``customize'' button.
• Edit the custom login_form to change the ``action="logged_in"'' line to read ``action="https://yoursiteurl/logged_in"''
• Finally test the new login_form to insure that it works (I found that I had a problem with my Apache rewrite rules when I first did this on the www.celestial.com site).