But for some reason it's not switching the site to https when a user logs in.
That setting doesn't force the user to the https version of your site. Enabling that removes an SSL security check that some servers can't properly perform. It's never recommended to enable that setting in production.
With social network authentication, all logins are performed over SSL connections. The users credentials, security tokens and various profile details are *all* encrypted by each network in transit. After the user is logged in, we return them to the protocol they were originally on. We don't have an option to force authenticated users to https in JFBConnect.
There is a setting in Joomla to force all users to https, but I don't know of any that works for just logged in users. There *may* be a plugin to do what you're looking for, which is what we'd recommend first since it would work with Joomla authenticated users. A plugin like that may also prevent a user from intentionally trying to switch back to http:// (or clicking an incorrect link). I'm not aware of such a plugin, or I'd gladly refer you to one.
The other option is to enable/force https always on your site. Forcing https should have a pretty negligible effect on overall performance and increases security for guests as well. We, and many other sites, choose to use https always for that reason.
I hope that helps explain, but if you have any questions, please let me know.
Thanks,
Alex
Using HTTPS
