Because when you get no rows, you basically get
0 or die(). 0 is "falsy", so your die is executed. You don't want a
die() there, basically just remove it.
$sql = mysqli_num_rows($query); // Don't use die() for this
See this live demo.
It's more common to use
or die() after the query, although it's not the best handling of errors, this is probably where you've seen it before
$query = mysqli_query($dbcon, "SELECT * FROM user WHERE login = '$login' AND password ='$pass'") or die ("Query failed ".mysqli_error($dbcon));
Also you should look into prepared statements to protect your database against SQL injection. See the links given below.