Strange security

<?php

function check_login_cp($admin,$url)

{

        global $db;
    global $db_admin;

 if (!$_SERVER['HTTP_REFERER']) { header('Location: index.php'); die( "Hacking attempt!" ); exit; }

 if (!isset($_SESSION["adm_ident"])) { header('Location: index.php'); die( "Hacking attempt!" ); exit; }

 if (!isset($_SESSION['admin_login'])) { header('Location: index.php'); die( "Hacking attempt!" ); exit; }

$sql    = 'SELECT * FROM ' . $db_admin . ' '
        . 'WHERE login="' . $_SESSION['admin_login'] . '"';
$r_auth = $db->query($sql);
$f_auth = $db->fetcharray($r_auth);

if ($f_auth['login'] == $_SESSION['admin_login']
    and $f_auth['password'] == $_SESSION['admin_pass']
    and mysql_numrows($r_auth) == '1')
{
    mysql_free_result($r_auth);
    $_SESSION['name_admin'] = $f_auth['name'];
    $_SESSION['admin_login'] = $f_auth['login'];
    $_SESSION['icq_admin'] = $f_auth['icq'];
    $_SESSION['phone_admin'] = $f_auth['phone'];
    $_SESSION['adress_admin'] = $f_auth['adress'];
    $menu_start=explode("#", $f_auth['menu']);
    $_SESSION['menu'] = $menu_start[1];
    $_SESSION['menu_punkt'] = $menu_start[0];
    $_SESSION['num_admin'] = $f_auth['num'];
}
 else

{
    $_SESSION = array();
        $_SESSION ['url'] = $url;
    header('Location: index.php');
    die();
    exit;
    return;
}

}


if ($_GET["REQ"] == "auth")

{
    if (!isset($_SESSION["adm_ident"]))

    {
        session_start();

        $vid_login = trim(htmlspecialchars(strip_tags($_POST["login"])));
        $vid_password = trim(htmlspecialchars(strip_tags($_POST["pass"])));

        if ($vid_login!='' and $vid_password!='') {

            $_SESSION["admin_login"] = $vid_login;
            $_SESSION["admin_pass"] = md5($vid_password);
            $_SESSION["adm_ident"] = time();
        }
    }

check_login_cp('0_1','main.php');
header('Location: /');

?>