Session invalidation is enough for a perfect logout servlet.In order to made logout working properly we want to add a concept of validating authentication.
HttpSession session = request.getSession(true);
session.invalidate();
Create an Auth object everytime user login.that includes id,username..etc.Then check that authObj ath the beginning of every operation inside servlet.After the session invalidation if you try to do any operation you will not get that authObj.because we don't have username (as an eg:) that we have already kept in session.The reason of unavailability of username is that we have done session invalidation.So we can't proceed to any operation in which we need to be logged in.Then just add a message like this:
PrintWriter out = response.getWriter();
out.println("SESSION FAILED!");