In my php application, I'm using $_SESSION to track whether a user is logged in. If a user leaves any page on my site at http://mysite.com and goes to http://someotherwebsite.com, I want to automatically log them out, such that if they return to any page on http://mysite.com, they need to login again.
Is there an easy way to do this?
You cannot explicitly tell when an user leaves your site, your best bet would to be to implement a timeout on your sessions.
As most of the answers have said, you could check with the JavaScript event onbeforeunload but the user can by-pass this by disabling JavaScript or, as BalusC had pointed out, using a web browser that does not support it, such as Opera.
Therefore, I strongly believe implementing a timeout on your sessions is the best way to force a logout.
You can't (but your sessions will time out automatically after a while ; so you could set the timeout to a short time).
From what I know about PHP (which isn't much) would your application ever know they left the site? If you go to someotherwebsite.com, your code isn't called again until they return.
You could perform an AJAX call in the onbeforeunload event to some server side script that will kill the session.
Except for putting a timeout on your sessions - not really. The only way that comes to mind is the onbeforeunload JavaScript event that fires when the user leaves the current page, but that event doesn't know where the user is going. You could however, if you really want to do this, maybe build something based on the following hacky workaround (untested):
set an onbeforeunload event that sends an AJAX call to your server. (How to do this successfully - so the call gets through before the page gets closed - is an issue of its own, a search for "onbeforeunload ajax" on SO should yield some results.
The Ajax call would start a countdown saying that this user's session is about to die in, say, fifteen seconds.
If the user is leaving your site, the countdown applies.
If the user is going to a different page on your site, you clear any "die" countdowns when serving the next page.
This is likely to be shaky because it could happen that an Ajax request starting a countdown arrives at the server after the next page has already eliminated that countdown. But if you really need to do this, this may be a direction. Works for users with JS enabled only, of course.
Unfortunately Not Really, This is one of the big problems with web applications. Your applications has no way of knowing that the browser has moved on to a different website.
As ChristohpeD mentions you can set the session timeout. Just remember that your site will only refresh the time when the server recieves a post or some kind of javascript ping.
Hope That Helps
A second idea how to implement this would be to put an extremely low timeout on sessions (e.g. 90 seconds), and to put an iframe on every page you serve. That iframe would then make a call to the page every 60 seconds.
This would work without JavaScript, but could create annoying clicking noises in older versions of Internet Explorer (I don't know whether that stopped in 6 or 7?)