If I understand u correctly, the username and password are
String objects , so keeping them in the session is harmless.
As for DB Connections , i would recommend using a Connection pool of some sort , and the best way to ensure that connections are closed ( or returned to a pool) is to do so maually after serving out a request.
As for controoling the session , you can set the timeout in web.xml .
To find out if a user's session had timed out , you may implement the HttpSessionListener interface.
Hope this helps ..
Good Luck..