I know that protecting all pages with SSL will slow down the website and add overhead to the server resources.
I also see many other websites only protecting their login and registration page, which I also want to do on my server running apache.
Why is it considered bad practice to only protect only pages where the user's password is entered instead of the whole site?
Also, instead of using something like https://mysite.com/login.php, should I maybe change to https in this way: https://secure.mysite.com/login.php?
Best Answer
Cookie security is the main thing that I'd point to for your approach.
A user that logs in on your secure login page gets a cookie for their session, right? That cookie's then being transmitted in plain text for someone watching the wire (Firesheep) to intercept and steal the session.
There is additional overhead in terms of negotiation time and CPU load from SSL, but it's rather minimal. If there's anything sensitive going on on your site, just use SSL everywhere.
See also: this question