User identification

Is the user identity scheme correct?

Whether tell please correctly I represent the scheme of identification of the user. And are there other popular schemes that are fundamentally different from the one described below.
1. On the authorization page, the user enters his login and password through the form.
2. Next, a request is made to the server, for example, at /auth. The login/password is added to this request in the form of post-data or in the form of request headers
3. The server checks the received login/password. Encodes them, for example, using md5 and checks against what is in the database
4. If they match, then token 5 is generated
. And then this token is sent to the client. And on the client, the token is stored, for example, in a cookie, or in localstorage, or in a service that is active throughout the duration of the application
6. Now, for any request other than /auth, this token will be attached as a header or post-data to the request. And the server will verify the received token and the token on its side for this particular user.
7. If they match, then the requested information is sent to the client.
8. If they do not match, then the server sounds the alarm. He understands that the session was intercepted by an intruder
9. During normal operation, after a time specified by the server policy, for security reasons, the token becomes obsolete. And a new one is generated
10. Accordingly, re-registration is required. In order not to give the user a nightmare by re-filling the form, the client himself retrieves from some of his storage the login / password that was previously entered by the user. And sends it to the server, imperceptibly for the user
11. Then there is a return to point 3 and everything repeats.