However, POSTing from a http login page to https "logged in" page opens you up to javascript injection attacks that can sniff credentials as you perform the login action.

Further, ssl stripping man-in-the-middle attacks on any http page on a site can force your session to remain in cleartext, even if you navigate to a page that's supposed to be encrypted. Your webserver really needs to redirect to https always, to prevent against this.