The login routine is hosted in /server/ajax/user_manager.php

The following line checks for the login. 

$userObj = new C_User($_POST['username'],$_POST['password']);

Then once simply checks for status returned from $userObj->loggedIn, and set session variable.