After you have logged in, you will get a session cookie/key that you have to send on every request. An adversary can just steal that session key from the compromised connection.