The current toolkit (v13) lacks a means to validate self service users from an existing session. Using the login() call will overwrite your existing session information. If all you want to do is authenticate a self service user you need to add a new function to your local class which extends SforcePartnerClient. The example function returns the result of the login call or null if it fails. You may want to check the value of the passwordExpired field in the result to see if the password needs to be changed. If so, you can use the setPassword() call to do so, passing the userId returned from the selfServiceLogin call and the new password.


   class MyClient extends SforcePartnerClient {
       public function selfServiceLogin($username, $password) {
           $header = new SoapHeader(
               $this->namespace,
               'LoginScopeHeader',
               array ('organizationId' => $this->loginResult->userInfo->organizationId,
                      'portalId' => null));
           try {
               $this->sforce->__setSoapHeaders(array($header));
               $result = $this->sforce->login(array (
                'username' => $username,
                'password' => $password
               ));
               $result = $result->result;
               return $result;
           } catch (Exception $ex) {
               echo $ex->faultstring;
           }
       } 
   }