providing a Location: header in PHP without specifying a status code defaults to a 302. this is equivalent to: header('HTTP/1.1 302 Found'); header("Location: http://www.example.com/login.php"); note that the Location: header should contain an absolute url.
the search engine isn't going to see any content that is behind a login, so it probably makes sense to noindex the login.php url or at least exclude the bot from crawling that path with a robots.txt entry.
the 401 status code specifies that HTTP authentication is required and the only response header appropriate for that status code is WWW-Authenticate. when challenged to authenticate with a 401, the browser handles the authentication and this is different from the html login form which would be served by the /login.php url.
that is user-agent-dependent behavior. a modern browser will likely make the proper best guess if you fail to provide an absolute url. however do you want to risk an unintended redirect by a search engine crawler when you provide an ambiguous response? conformance to protocol is a better solution. http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30 [w3.org]:
The (Location response-header) field value consists of a single absolute URI.