String Based Security Basics

I was not sure how to formulate this question, so I apologize in advance if this is a duplicate of something else.

I wanted to test sanity as I secured my application based on twisting, and I think I did a good job on this, but it has been more than ten years since I wrote everything that uses raw or managed sockets.

Authentication operation: The client connects, and immediately the answer to the call is sent with a 16-character hexadecimal string. The client side takes the username and password, the password is converted to sha1 (salt + sha1 (password)), and the credentials are sent back to the server as {username, password}. On the server side, authentication performs a standard search pattern (if the user exists and has a password equal to the input, and then a grant).

If the connection between the user and the client is lost, the protocol class marks itself dirty and disconnects from the user object. At any time after this point, in order to access the user object again, the client will have to repeat the authentication process using the new salt.

Am I missing something? Is there a better / safer approach for character stream protocol?