I had a look at modules to help me make sure all logins were only done via HTTPS and that these authenticated sessions were only available via HTTPS. In other words passwords are only transmitted via HTTPS and not in plain text, the same for any content changes, although this is not strictly needed. I chose to use Secure Pages, partly because it did what I needed and critically because it is currently being maintained and has a lot of users.

The securepages micro-site does say to "Set $conf['https'] = TRUE; in settings.php.", however I have not done this because I do not want mixed HTTP/HTTPS sessions which this setting enables. Although the module does handle this quite well, I prefer the simple and clear switch. However, I might need to review this in the future but for now this is a good solution.