Dan,
I was looking for something like this myself, and looked into it. I didn't find any way to gather that knowledge from information already in the system, but I did come up with a way to implement it. Here's what I did:
I added a column, "last_hit" of type timestamp/date to the users table. The semantics of this column is that it contains the timestamp for the user's last hit to the server, or a null if the user has logged out. However, for performance reasons, the value may be up to SessionRenew old.
It's updated to the current timestamp (now() or sysdate) whenever the session cookie is re-issued for a logged in user. It's cleared whenever a user logs out. When a visitor changes identity (one logged in user logs in as another user), the old user is marked as logged out as well.
It does have a few loopholes: If the same user is logged in with multiple browsers simultaneously, and one of them logs out, the user will be marked as logged out. However, if the other accounts keep hitting the server, eventually last_hit will be updated, and that user will appear active again.
I'll upload a patch.
/Lars