This may seem trivial.
What will happen to a session that was never destroyed/unset/write_close-d? Lets just say I have set the session to never time out. What will happen to the session if person finds himself at the login page and logs in using different credentials. Also just for the testing purpose, the login page doesn't have redirect if session is set.
Will it overwritten and destroyed or never destroyed?
If your login sets all of the session variables, the session will be effectively destroyed by the new values.
If there is a variable that's in the session that isn't overwritten by the login, then it will persist. The session is overwritten rather than destroyed and set again.
Sessions will be destroyed implicitly after timeout. The number of seconds for timeout can be specified in php.ini . Default is 1440 seconds or 24 minutes.
You have to set some arbitrarily large value for session.gc-maxlifetime to seemingly never time out.
If you let someone else to go through the login process, it must overwrite the existing session. But all this ultimately depends on your code.
if he logs in using different credentials with an already started session, the session will be simply overriden... in the case, that the user deletes his cookies etc., a new session will be generated and the old one MAYBE will retain as session-file or in DB... (depends on the php-settings)