So, using HTTP authorization, getting the user's browser to stop sending auth headers constitutes how you get that user "logged out"?

If that's the case, I think what you're suggesting is having my webapp set a cookie to logout (maybe to expire the cookie?), such that the cookie somehow tells the user's web browser to stop sending authorization headers -- is that correct?

and the next roundtrip the browser issues an authorization header then decline the validity of that header.

But it would seem to me that the browser is carrying on a rather personal discussion with the web server, without my webapp even knowing about it. How do I "decline the validity" of that header? Does my webapp code even see it?

Hm... It would seem somewhat simpler to not even bother with HTTP authorization and just use cookies and my own webapp code to decide whether users are logged in or out. I think that's what you're getting at in your last sentence.