This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Whatever you want it to do. You don't necessarily have to delete the whole session. But you can if you want. I've done several different things on different web applications. I don't think there are definative answers to this, though there might be similar actions done in various scenerios.
What activities do you think should happen on logoff?
search the forum fo 'no cache'. If you include the correct instructions telling the browser not to cache the page, it won't. If the user logs out and tries the back button, the browser will re-request the page and be denied by the server.
What activities should be happen on Logoff button click???
I've pointed this out a few times but it is always worth being aware of: while many containers use the session id to track users after they have logged in, authentication and session tracking are not the same thing.
Removing the user session is not always enough to log the user out. The example I usually give is with Websphere - it uses it's own encrypted cookie to maintain authentication details. If the session expires, the server gives them a new one but does not require them to log in again, so invalidating the session just means they get a new session, but you have not logged them off.