This can't be right! If you type in the password as numbers it gives you access. It will give you access if you type in the username and password right, but if you enter any username and just type any number for the password, it gives you access!
Thats the whole security genius of sessions at work. When you use sessions, it creates a data ID for the user and everytime you move to another page, it will make your browser expire the page, for security reasons. Thats why sessions was invented in the first place.
I dont know ways around this, but do check out your server's phpinfo() for more detais to see the setup you have.
I can suggest dropping by phpwizard.net and in thier tutorials section is a VERY detailed tutorial on garbage collection methods and settings you can play with.
I was working on a script that used sessions to pass the variables from page to page, but because of the same problem you encountered, I decided to rewrite the script and pass the variables in a query string, so that the users could use their back buttons to make changes to their form entries on previous pages. I don't know of any way around that side effect.