I would always argue that the best way of validating forms server side is to split the script in two.

logon_display.php - A template that displays the form.
logon_input.php - The script that receives the input, validates and verifys the logon credentials.

Doing it like this will enable you to keep the form and the script that actually logs the user on separate entities.

login_display.php may look something like this:
PHP Code:
<?php
    
/* disable notices as variables will be undefined on first display */
    
error_reporting(E_ALL E_NOTICE);
    
session_start();

    
$formMessage $_SESSION['formMessage'];
    
$username $_SESSION['username'];
    
$password $_SESSION['password'];
?>
<html>
    <head>
        <title>Logon</title>
    </head>
    <body>
        <p>Enter your login details below:</p>
    <form action="logon_input.php" method="post">
        <div><?php echo($formMessage?></div>
        <div>
        <p><?php echo($username['msg']) ?></p>
        <label for="username">Username:</label>
        <input type="text" id="username" name="username" 
                value="<?php echo($username['value']) ?>" />
        </div>
        <div>
        <p><?php echo($password['msg']) ?></p>
        <label for="password">Password:</label>
        <input type="password" id="password" name="password" />
        </div>
        <div><input type="submit" /></div>
        </form>
    </body>
</html>
Your logon_input.php will process the form and validate it. If validation and authentication success, a sesion variable called authenticated is set to true and the user is redirected to the next page. If it fails, the appropriate messages are set and added to the session and the user is redirected back to the logon page.
PHP Code:
<?php
    session_start
();
    
$_SESSION = array(); // clear any old session data

    /* check a username is present */
    
if ((! isset($_POST['username'])) || trim($_POST['username'] == '')) {
        
$_SESSION['formMessage'] = 'Error Processing Request';
        
$_SESSION['username']['msg'] = 'Username Cannot be Left Blank';
        
header('Location: logon_display.php');
    exit;
    }

    
/* check a password is present */
    
if ((! isset($_POST['password'])) || trim($_POST['password'] == '')) {
        
$_SESSION['formMessage'] = 'Error Processing Request';
        
$_SESSION['password']['msg'] = 'Password Cannot be Left Blank';
        
header('Location: logon_display.php');
    exit;
    }    

    
$username $_POST['username'];
    
$password $_POST['password'];

    if (
authenticate($username$password)) {
    
/* valid username and password */
    
$_SESSION['authenticated'] = true;
    
header('Location: next_page.php');
    } else {
    
$_SESSION['formMessage'] = 'Invalid Username or Password';
    
$_SESSION['user']['value'] = $username;
    
header('Location: logon_display.php');
    }
    
    
/* this function will authenticate the user, prehaps via a database
       or a file. in this case i just put the username and password in an
       array */
    
function authenticate($username$password)
    {
    
$users = array ('user1' => 'password1',
                    
'user2' => 'password2');
            
    
/* it is cruciual that you uncomment these lines if you a inserting
       these values into a query to prevent sql injection. These are for
       Mysql, so you my have to modify them appropriately for other
       databases. */
    // $username = mysql_escape_string($username);
    // $password = mysql_escape_string($password);
    
    
return array_key_exists($username$users) && ($users[$username] == $password);
    }
?>
Notice how the session is used, once logged on to store a variable to indicate the user has logged on. You should check this exists on every page that requires authentication and to log the user out you simply set this variable to false.

next_page.php contains an include to a small script called auth.php that checks for authentication. To enable authentication for a specified page, simply put this line at the top of the script:
PHP Code:
require 'auth.php'
auth.php
PHP Code:
<?php
    session_start
();
 
    if (! @
$_SESSION['authenticated']) {
    
header('Location: logon_display.php');
    exit;
    }
?>