io ho provato a fare come avete detti voi..
ora il mio codice è :

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<?php
include ("config.php");
if ( !isset( $_SESSION ) ) {
session_start();
session_regenerate_id();
}
//session_start();

//session_regenerate_id(TRUE);

//variabili per criptare in md5 = $password=md5(htmlspecialchars( $_GET[pass]));
$user=htmlspecialchars( $_GET[user]);

$password=htmlspecialchars( $_GET[pass]);

$query = "SELECT * FROM login WHERE user='$user' AND password='$password'";

$result = mysql_query($query, $conn);

if(mysql_num_rows($result)) {

//se è loggato creo la sessione
$_SESSION['user'] = $user;
$_SESSION['password'] = $password;

} else {
print("Login invalido.");
exit;
}
?>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Documento senza titolo</title>
</head>
<body>
<FORM action="http://localhost/xampp/tesina/prenotazioni.php" method="POST">
Inserire login: <input type="text" name="user" size=10>

Inserire passwd: <input type="password" name="pass" size=10>

<input type="submit" value="Login">
</FORM>
</body>
</html>

e il mio errore resta sempre:

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /Applications/XAMPP/xamppfiles/htdocs/xampp/tesina/login.php:3) in /Applications/XAMPP/xamppfiles/htdocs/xampp/tesina/login.php on line 6

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /Applications/XAMPP/xamppfiles/htdocs/xampp/tesina/login.php:3) in /Applications/XAMPP/xamppfiles/htdocs/xampp/tesina/login.php on line 6

Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent in /Applications/XAMPP/xamppfiles/htdocs/xampp/tesina/login.php on line 7
Login invalido.