We Keep Coding

Load and authenticate into a web within an iframe using http, from a web using https

I need to simulate from within an iframe in our site, which uses https and it's loaded only once upon the authentication on our site, the authentication into another site, which only uses http.
How can I do that?
We first tried loading into the iframe a page of our site from which the login form for the remote authentication is automatically submitted with javascript. This cannot be achieved because the http request from the form is blocked by the browser for security reasons. I must clarify that if we use http in our web too, the authentication is done without problems.
I'm not sure if using file_get_contents() will do the trick, because it's not a simple static page what we need to display. We need to keep any data from the remote login (cookies, etc) in the browser so that we can access other parts of the remote web (once I've signed in) from other places of our site. As far as I know, file_get_contents doen't provide any header.
Another alternative I've also considered is curl, using CURLOPT_RETURNTRANSFER=true and CURLOPT_HEADER=true and trying to manually set any cookies I get in the header. I'm not sure if keeping the session implies more actions though.

Simple SSL - what do I need to do to make my ajax'd login SSL secure

I have a user login/reg system with a user management admin area.
Just some background:
Currently the login is all 'ajaxy' so the user clicks login and the loading gif swirls around while in the background the details are checked, sessions created.
If all goes well the client side javascript refreshes the page to the correct location.
the questions
Now if I wanted to use SSL, what do I do?
The "ajax" call - I need to secure this - do I do this by making the call to https - is that enough?
1.1 Currently I use jQuery $post which has a relative path to the login.php to check the user login details. Should I make this absolute - eg https://www.mysite.com/ajax/login.php
Should the redirect after login also go to https
(the site owner should already have a SSL certificate etc)
Thanks

Everything needs to go through SSL.
If the page is HTTP and the Ajax goes to HTTPS then you'll bounce off the same origin policy
If the conditions are as above but you use CORS to work around the policy then a man-in-the-middle attack could alter the page the request is made from and add (for example) extra JS to steal the credentials from the page (instead of from the HTTP request)
If you redirect to HTTP once the user is logged in, then you are vulnerable to the Firesheep problem
So display the login page via SSL, and once the user is logged in, keep using SSL.

Everything that's sent over an SSL connection is encrypted, so yes; making your AJAX calls use SSL will be enough. In practice, you will also need to have the page that's issuing the AJAX calls use SSL to avoid origin policy problems.
Whether you redirect to a relative or absolute path doesn't matter security-wise, it's only a matter of taste.
Assuming you don't want the user's cookie or other actions to get sniffed, then yes, after the user has logged in, all the following communication should also be using SSL. HTTPS doesn't cause much overheat, so there's generally no reason to not use it if it's available to you.

building a secure log in using https with php require or include

Sorry for the confusion. To clarify my question, the session will be created over ssl and will stay encrypted. While users browse using normal http, I'm asking if I "require" a ssl page that verifies the users' session, will it run in ssl or will it simply be a part of the parent page which is in http which will be unable to retrieve the session id because the session is saved in https.
I'm currently working on a secure member log in with php.
A log in form will redirect to a ssl url (i.e. https) to keep the password safe for people who are logging in using unencrypted network/wifi.
The only problem is, I can't think of any way to "securely" pass users' log in session from https to http.
So I was thinking to use "require_once" from php which includes a file url starting with https. And the included file will create a session under https and all I have to do is simply require the page in every authentication-required page.
The only issue is, I'm not too sure if the "required file" will run under https or the codes will simply be included in the parent page and run under http.
In other words, how exactly does include or require work (does the function run the code in the separate page or simply include the code in the parent page and run)? I searched php manual, but I was't able to find the answer. Also, I can't test it by myself because I don't have ssl license yet.
Also, any suggestion on building a secure log in using https (just for log in) in combination with http for any other user interface?

include() and require() will only go 'external' and do an HTTP-type request if the path you're providing to them looks like a url (e.g. 'http://....'). Otherwise it's interpreted as a local file file request and does NOT involve the HTTP layer.
There's no practical difference to PHP if a script was requested via HTTP or HTTPS, except there'll be extra SSL-specific entries in $_SERVER. Includes/requires still work as they if the script was running in a non-SSL environment, and the script can still do CURL requests and whatnot. Remember that the SSL link is established by the server and the client browser BEFORE php is invoked, and applies only to do the client<->server communications. Anything the script does with external resources will only involve SSL if the resources requested themselves are done via a completely separate SSL request.
You cannot "turn on" SSL from within a PHP script. There's no mechanism in HTTP to dynamically migrate a link from a regular unencrypted port 80 to an encrypted port 443 within the same request. You can redirect the client towards an SSL url, but that involves a completely new HTTP request - the original request started as non-SSL and will stay non-SSL.

Edit: The below is an answer to the original question, which was phrased in a way that made it sound like the author only wanted the login page to be protected.
I assume that the reason you want to redirect back to HTTP is that the site contents itself isn't confidential, and that you only care about protecting the user's password and account. However, if you redirect the user back to HTTP after logging in, your site will be almost as insecure as if you didn't use HTTPS at all. Granted, HTTPS login will prevent the user's password from being sniffed, but anyone can use Firesheep or similar applications to steal the user's session id after login if you redirect back to HTTP - then, they can take over the account by changing the password (or simply act as the user without changing the password).
(While we're on the subject: why on Earth doesn't StackOverflow use HTTPS after login?) :-(

In order to maintain security, you need to ensure the https:// is in the user's address bar at all times. You can't just include a file and expect it to be secure.
Think of it this way. Say you have a form on http:// and you make a curl call to https:// # Verisign to post a credit card payment. That unencrypted data can easily be intercepted before it reaches Verisign's secure page.
If it's SSL, keep it SSL throughout the entire session. You'll notice on bank sites, there is usually a login button which directs you to an https:// page containing the form - OR they mix it by grabbing your username on the http:// page and then posting that to the https:// page before asking for your password. US Bank does this just to get the user engaged on the home page.
EDIT:
To respond to the new clarification. I would not let a user browse http:// pages while logged in via https://. I would add this logic:
if(isset($_SESSION['LOGGED_IN_SSL']))
{
if ($_SERVER['HTTPS'] != "on")
{
$url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header("Location: $url");
exit();
}
}
That would force the user to view the https:// version of whatever page he/she wishes to view.

What files need to go into secure directory?

If I call a single PHP file that in turn uses GET's and POST's to build the HTML page as well as process other data and store it in SESSION, do I need to mirror the entire site into an HTTPS capable directory or does only the page being called need to be in the directory?
So for example my computer sends my name via POST to the server and specifically Index.php.
If the address of Index.php is is the data secure going to the server?
Is the data returning, most specifically the SESSION data, also secure?
Also I apologize if this quest has been answered a hundred times, for some reason I could not think of the proper search terms to find the answer.

do I need to mirror the entire site into an HTTPS capable directory or does only the page being called need to be in the directory?
No. Webserver can be set up so it watches to the same directory for both http and https
If the address of Index.php is is the data secure going to the server?
If it is a https protocol specified in the url - then all the traffic (request from client to server and response from server to client) between client and serever is crypted.
Is the data returning, most specifically the SESSION data, also secure?
Session data is never sent to client. It is stored on the server.

How to use https and how things differ

How would you use https ?, would sending information via GET and POST be any different while using https ?
Any information and examples on how https is used in php for something simple like a secure login would be useful,
Thank you!

It will be no different for your php scripts, the encryption and decryption is done transparently on another layer.

Both GET and POST get encrypted, but GET will leave a trace in the web server log files.

HTTPS is handled at the SSL/TLS Layer, not at the Application Layer (HTTP). Your server will handle it as aularon was saying.

SSL and/or HTTPS is used to provide some level of confidentiality for data in transit between the web users and the web server. It can also be used to provide a level of confidence that the site the users are communicating with is in fact the one they intend to be.
In order to use SSL, you'll need to configure these capabilities on the server itself, which would include either purchasing (an authority-signed) or creating (a self-signed) certificate. If you create your own self-signed certificate, the level of confidence that the site is the intended one is significantly reduced for your users.
PHP
Once your webserver is able to serve SSL-protected pages, PHP will continue to operate as usual. Things to look out for are port numbers (normal HTTP is usually on port 80, while HTTPS traffic is usually on port 443), if your code relies on them.
GET & POST Data
Pierre 303 is correct, GET data may end up in the logs, and POST data will not, but this is no different than a non-SSL web server. SSL is meant to protect data in transit, it does nothing to protect you and your customers from web servers and their administrators that you may not trust.
Secure Login
There is also a performance hit (normally) when using SSL, so, some sites will configure their pages to only use https when the user is sending sensitive information, for example, their password or credit card details, etc. Other traffic would continue to use the normal, http server.
If this is the sort of thing you'd like to do, you'll want to ensure that your login form in HTML uses a ACTION that points to the https server's pages. Once the server accepts this form submission, it can send a redirect to send the user back to the page they requested using just http again.

Just ensure you're sending the correct headings when allowing files to be downloaded over ssl... IE can be a bit quirky. http://support.microsoft.com/kb/323308 for details of how to resolve