Avoid clients to log in on non SSL on all domains except the designated hostname.

One of my clients discovered that he can log in from port 8090 on his domain with no SSL instead of the designated hostname with SSL. Is this intended behavior? Is there a way to avoid this security risk? He insists on login on his domain because he considers it to be easier to remember, stubborn people like him are everywhere.

No worries, I fixed it by just implementing HSTS on the vHost, that makes it impossible for them to proceed. Now it looks more professional.