Instead of "who", try using "w". It is a tad more informative, and it'll tell you how long someone's session has been inactive.
I've had it happen on my server where if I ran something within "screen", it left the user "logged in", and left a zombie process when it disconnected the screen.
You can go through and kill them manually (as I've found no way to avoid it if you have users improperly terminating sessions), or, if they've become zombies, let init reap them.
Also, while not the greatest practice, I just use "TCPKeepAlive yes". That seems to take care of when my PuTTY session gets whacked on accident.