Type: New Feature
Servlet 3.0 introduced the HttpServletRequest#logout method.
Invoking this method does not seem to cause any method on a configured auth module to be invoked. This makes it impossible for an auth module to fully manage the authentication session. A specific use case is the implementation of a "remember me" functionality. For this the auth module can e.g. insert a cookie into the response after a successful initial authentication. This cookie should then live beyond a session expiration, but has to be removed when a user explicitly log outs.
Without the auth module being notified of such an explicit logout invocation, there is no opportunity to remove said cookie.