Not really much different from an internet approach, sticking to those three. HTTP is stateless, so it can't really tell who's online "right now"; unless it's actually receiving a request from some browser, the server has no idea whether or not the browser's there or not - it can't even know if the browser's receiving anything unless it sends back some sort of confirmation.
So any estimate of who's online will have to be vague. All the following assumes you are able to identify which browser is making which request (IP address, perhaps):
Have a table in which each user that is reckoned as being "online" is listed, along with the time they made their most recent request. A user is "online" if they made a request in the recent past (five or ten minutes, say). Each time a user makes a request, their entry in the table is updated with the current time.
If the user is not there, insert a new entry for the user, with the current time.
To find out who's online, query the table to see who has made a request in the last five or ten minutes.
Perhaps every now and then (randomly, on every hundredth request, say?) clean out the table by deleting entries that are too old to be seriously considered as representing "online" users.
