Hallo.
Bin auch gerade mit diesem Problem beschäftigt und habe auch noch keine anständige Lösung gefunden. Was ich vorher gelesen habe:

HTTP has no provision to cancel a user's credentials, and there is no general[8] way to do so. The workaround is to overwrite the user's credentials with those of another valid user at your site. Create a valid but unprivileged user ID, and a Logout URL which is permitted only to this user. This URL is now a logout button. This of course still leaves you the human task of persuading your users to use it.

Tönt nicht gut :)

mfg
Daniel