You have already started a session? Try removing
Edit: Do this
$query = mysql_query("update users set password=SHA1('$nova_password') where username='$utilizador'"); // Destroy session and send them to login form session_destroy(); header("Location: http://yourdomain.com/login.php"); exit();
But If you'd like to echo a message first you could use
header( "refresh:seconds;url=wherever.php" );. But yes make sure no headers have been sent yet. Else you could use
<meta http-equiv="refresh" content="seconds;url=url">
Or you could turn on output buffering
ob_start(). Then it don't matter.