He is right, make the form submit to a page on your server. This can be a little dangerous, so keep that in mind if you are transferring important data. You should be ok from what I believe you want to do though.
this is one issue I have seen. I know of a few tutorials out there that do login pages, but they don’t have a good tutorial showing how to handle the actual login. If you used an html refresh code to redirect to a new page, then if someone viewed the source code, they could see that html. Also the page you are redirecting to wouldn’t be password protected would it?