Is there a way to force the login form to use https.

I was going to add a secure_site_url to config.php under the site_url

then in modules/Users/Login.php I would update the form action like so
<form action="<?=$sugar_config['secure_site_url']?>/index.php"

Finally, in modules/Users/Authenticate.php I would redirect back to http instead of https.

But I'm concerned about this breaking when I do upgrades. Is there another way to do this.

I don't want everything running in https but login credentials need to be secure.