I notice many websites implementing HTTPS for changes in account information even though the user has already logged in through HTTPS and tracked by SESSION.
Is this really necessary?
I notice many websites implementing HTTPS for changes in account information even though the user has already logged in through HTTPS and tracked by SESSION.
Is this really necessary?
In fact, any site that uses a combination of HTTP and HTTPS will be vulnerable to man-in-the-middle attacks, and most will also be vulnerable to Firesheep-like attacks that capture the session cookie by eavesdropping on the HTTP connection.
It is not enough to use HTTPS for just the login and changes in account information. Sites need to use HTTPS for everything, if they want to be secure against man-in-the-middle attacks (e.g., if they want to be secure for users who are connecting over open Wifi).
See the following questions on this site: What are the pros and cons of site wide SSL (https)?, When are HTTP session cookies at risk over Wi-Fi?, and What sites are still vulnerable to FireSheep?.
Yes, it is necessary. If you are sending data through HTTP, your data will be in plain text and can be read. By sending the data through HTTPS, you ensure that the data channel will be encrypted.
In fact all communication should be done over HTTPS channel. Using HTTPS only for authentication is bad idea. After authentication session id is created which may be used to impersonate logged on user.
Why do you expect that in case of man-in-the-middle attack the log in would fail? It would fail only if user noticed incorrect certificate, but it is not important in this case. If password change does not require HTTPS, attacker doesn't need to mount man-in-the-middle attack. It is sufficient for him to just listen to the communication. He will not be able to see user name and password during authentication, but he will see new password when user changes it. Username will be probably displayed somewhere on the pages, so attacker will get both username and password just by listening. There is no need for active attacks like man-in-the-middle.
Some additional information about HTTPS can be found in Transport Layer Protection Cheat Sheet