As I mentioned before, HTTP is stateless-- as soon as a user retrieves a page he/she has requested, that's the end of the experience. Technically, at that point, the user is no longer "on your domain".
If I were you I would focus more on the question "How long has it been since a user requested a page?" Using that info, you can make some assumptions on whether a user is inactive or not. Has it been 10 minutes since the last request? Do you have any pages in the system that take more than 10 minutes to read? OK then, go ahead and assume the user is inactive if the last_activity is older than 10 minutes. Why make it any more difficult than that?
And again, I really don't understand why you'd want to log a user out after 60 minutes, or 3 hours, or 3 days. Who cares if he's got a session open that long? What consequence does that have? Unless you're the CIA, it doesn't really matter. I become extremely annoyed at my online banking because it's got a 20 minute timer. I understand they are protecting my account by making sure I didn't log in at a library somewhere and then walk away from the computer, but COME ON MAN-- 20 minutes is too short a time, and that's for a website that contains sensitive info that I want to protect! A social media website doesn't need that level of user protection. I'm pretty sure Facebook lets you go inactive for hours or days and doesn't kick you off.
I'll be gettin' off my soapbox now...