In a normal situation, once a user quits a page his cookie refering to the session will be cleared. (when he closes his browser). The next time he opens a browser and visits your page, he will start a new session.
Now because he lost the reference to your session and nobody else is using it either, the session file will no longer be accessed and once it hasnt been access for a certain amount of time, the garbage collector will clear it.
So you do not need to worry about "Clearing security tokens" when a user leaves the page. That is automatically taken care of. Unless ofcourse you screwed with the session management yourself. See the session settings information for options you can change.
Now if your goal is to clear the tokens while the user is still on the page using the same session, there are a few options.
The first would be to use a single security token per session. If the user closes the page (read: loads another page on your site) then he will be issues a new token in $_SESSION['token']
(no array) and the old one is cleared. That does require you to check the token after a POST
before you change it.
Another option is to only keep like the last 5 or so tokens. Then you can keep it clean without needing to alter the check for tokens. You can use array_shift to do that
<?
$tokens[] = 'new token';
if (count($tokens)>5) {
array_shift($tokens); //first is removed, so the last 5 remain
}
?>
The last way I can think of is to add a time to the token and on page request, loop trough all tokens and check the time. If the time is more then xx minutes in the past, remove it.