Hmm, I'm guessing that this is so that you as a developer have a warning that you may be mucking with an online user's data?
Sadly, unless the user is using RTT, the system doesn't deterministically know that a user is still online.
We do however know when the user last logged in - and that is shown on the User Summary page here (see capture).
You can further get an idea if a user is still online via the User Monitoring | Logs page...
Might be interesting to see if we could query the last session for the time of the last received request... though we'd need to somehow differentiate a real session from an API Explorer session... Hmm, some food for thought.