I presume that session destroy would be a better place -
Why? Because logout is not called, when user closes a browser without logout, session destroy would be called later by session garbage collector. Your data will be still there.
You have to put your custom code into