I think the login hook might proceed conceptually quite differently -- the hook might want to return true or false to enable / disable the login, or even override the user ID parameter.
However, for security reasons, a logout should probably always succeed and not be overridable. (Don't you need to have some certainty that a logout succeeds?)
I would have an additional hook for authentication (or perhaps a hook for each authentication method -- e.g. hook_authenticate_db, hook_authenticate_ldap).
logging in should come after authentication IMO, so the flow would be:
- Authentication takes place: authentication hooks can override
- If authentication is successful (as reported by all hooks), then log the user in -- call the login hook
- Establish the session and set cookies, etc. (and call additional hooks as needed -- e.g. a set cookie hook...)
I know I use the equivalent hooks in WordPress quite extensively.
Logout on the other hand needn't have all these steps -- hook_user_logout and hook_user_end_session or similar would probably be enough.