I'm not exactly sure of the behavior of POST between pages, but the $_POST global is populated by the POST field in the HTTP request header. So if it gets overwritten each time, so don't those fields you are setting your session variables to when you link back.
I would set your session variables after you have done the authentication and it is valid. Then I would set the session variables to the post variables ONLY once, and that is after authentication. Then we you check them again, check against the session variables instead of the post ones. Is that making sense? I'm a little tired right now hehe. Let's see about a code example:
<?php
$link = mysql_connect('host','root','pass')
or die("you fail");
mysql_select_db("dbname");
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if($_SESSION['username']=="" || $_SESSION['password']=="")
{
die("Please do not leave the username / password field blank!");
}
$result = mysql_query("SELECT * FROM users WHERE
username='$username' AND password='$password'");
$number = mysql_num_rows($result);
if($number==0)
{
die("Your login details are not right. Please click the back button
and correct them.");
}
else
{
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
}
?>
This is roughly what i'm talking about. Also, you are running the authorization script each time you load the page, creating unpredictable results (well, without me stepping through your code for a little while). Use another session variable to signify a user that has already logged in, and don't bother with the authorization if they are already a valid user.