1) You could try to redirect after some time using the header refresh
or an Meta tags
. You could redirect to a special page which would log out the user. From that page you could redirect to the main page using the header Location.
2) I would not recommend to store the login and password in the session variables after the successful authentication. Usually they are not necessary any more after the authentication is passed. Also at some servers sessions could be badly configured so it could be possibly not really safe.
You could simply store some flag e.g. $_SESSION['login_success'] instead. If this flag is set and e.g. equal to 1, the user is logged in.
3) Advice given by Kieran491 to use session_regenerate_id()
after successful authentication is also very good. It addresses session security (not redirect after 15 min) but the advice is good. Using this function helps to prevent session fixation attacks. Simply run this function after you have checked the user authentication was successful in your script (but before any output is sent by the script to the browser).
Please ask questions if something is not clear.