Securing Drupal for authenticated users

The default installation of Drupal transmits username/passsword in cleartext. I would like to secure my Drupal installation with the following goals in mind:

• Anonymous users should be able to access the entire web-site over http (non-secure)
• Authenticated users should be provided access only over secure https

I have read several posts on this topic but non of those provide a complete solution all on one page. So, I have come up with 4 step approach to acheive this. I am relatively new to drupal so please correct me if I have missed anything in this setup. Step 1 Set the following parameter in your apache configuration (.htaccess file or httpd.conf) file:# Allow cookie session over secure channel only
php_value session.cookie_secure 1This will instruct php to handle session cookies over secure (https) channel only. When users connect via the regular http URL, they will always be "anonymous," even if they have a valid session on the https site [1]. Step 2 Specify https protocol in your drupal/sites/default/settings.php file:# All absolute URLs emitted by drupal will contain https
$base_url = 'https://example.com'; // NO trailing slash!Your web-site will be accessible over both http and https as long as the apache configuration files are setup to map both the protocols to the same drupal installation. Most of the pages generated by drupal do not contain absolute URLs. The URLs generated for the various nodes within the web-site are of the form /node/123. As a result, a regular user visiting http://example.com will be able to navigate through the entire web-site even though the base_url points to https. Or users can directly access https://example.com for secure access.read more