David, Mario, Maas, Thank you for your comments. I will revert back to securing all pages post-login and fully assess the performance implications / benefits before making any changes. Ironically it could be that the redirect to unsecure a page costs as much, or more, than sending the page over https in the first place. Security is important to my app so I will stick with https for now. Tristan