well, since session data is saved to files by default, you could just scan the session dir using readdir() and check for all files that have been modified in the last 15 min or whatever period you consider "active"
but if your on shared hosting, you would end up including all the other websites sessions too.
you would need to use ini_set() to change the
session.save_dir to a directory that only you will use. then you could scan it safely like that.
but a better method imo is to use a database.
make a table for active sessions. on every page request, if a user is logged in, update that table with their session id as an identifier, and a timestamp to reflect thier last activity.
then you can select all records from the table which have a last active timestamp within the last 15min or whatever,
you would probably want to set up another script to run via cron, that would be executed every hour or whatever, that would go through the table and clean up all old stale data so your db doesnt become gigantic a few months from now.
im sure if you search for "users online" you will find plenty of info on this.
