Login page should be served using HTTPS\SSL. Note this is the serving of the login page not just the post back once user details are entered. Otherwise it is possible for someone to tamper with the page contents and you may find your users posting their details to a different site and stolen.

Many people think of HTTPS\SSL as a technology that encrypts data. The aspects it provides are
1) It ensures the data was received from the correct Server in the first place
2) It ensures the data was not altered
3) Finally it encrypts the data so it cannot be read on the wire

Many people regard 1 + 2 as the main benefits.

Consideration should be given to whether all content should be over HTTPS\SSL as the cost of doing so is minimal (HTTPS requires a little more processing power usually considered to be 1%). In order to set your cookie secure flag https will be required for all authenticated content anyway.

HSTS headers can be used to further encourage all content over HTTPS.