Bob,
It depends on what the purpose of your site is and who your intended audience is. If you have a site that has sensitive information stored or you have an audience that is using common terminals (like at a public library, Internet cafe, or college computer lab), then you'll definitely want to force another login. Many times, people will forget to close their browsers or they'll step away from the computer; you don't want someone accidentally stumbling into another person's session. But if this isn't the case, then just don't worry about it. There's no need to explicitly end a session.
But let's say you do want to end a session. The key concept here is session timeout. Every time a user arrives on one of your page, you should check to see whether or not a certain amount of time has passed since the last time they have arrived on one of your pages. Let's say I go to your website at 10:30. I surf around awhile, go have lunch, talk to my cat for a bit, and then return to your website at 12:30. When I arrive at the page, you should know that the last time I was at your site was at 10:30, and if two hours is too long, then you should time out the session, destroy the session variables, and redirect me to a login page with a message saying that my session has timed out.
There are a lot of examples of how to code a session timeout around the Net. Some things to remember:
1.) Create a variable that has the time that the person hit the page.
2.) Check that time against the current time.
3.) If the time is too long, destroy session and redirect.
4.) If the time is okay, set variable to current time and continue with the page.
Of course, if you want to be really wacky about it, you can always check the HTTP_Referer on every page, and if it comes from a domain that isn't yours, destroy the session and redirect them to a login page with a message saying that they've come from a site outside of your domain.
Hope this helps.
-- Lee
