They could be anywhere... do a site wide search for "login.php"
If you find it on a lot of pages it might make sense to just do it with a .htaccess file, or even code on the top of the login.php page itself:
if($_SERVER["HTTPS"] != "on")
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);