If your login request is via a user supplying a username and password then a POST is preferable, as details will be sent in the HTTP messages body rather than the URL. Although it will still be sent plain text, unless you’re encrypting via https.
The HTTP DELETE method is a request to delete something on the server. I don’t think that DELETING an in memory user session is really what it’s intended; more it’s for deleting the user record itself. So potentially logout can be just a GET e.g. www.yoursite.com/logout.