Assuming that the parent page does not require login (since I'd say that
you should never get to the includes if the including page requires authentication) I'd say.... it depends.
What a useless answer! Sort of like "cook it until it's done"
Seriously, here's the criteria I'd use to come to the decision:
If the sub-pages can be included in other places (I'm assuming that they are includes because they are modular) where login is not required, then the logged-in-or-not decision is clearly with the parent page since that's where the decision-making context lies.
If these sub-pages must always be authorized, it'd be safest to put the logic in the includes since they might accidentally get included in a parent page that didn't enforce the "rules".
But my own personal choice would probably be to abstract the include into custom tags so that all decision making isn't done on-page at all. (But I know not everyone is comfortable with whipping out tags).
Does this help?
bear