I'm setting up a policy and want to be able to correlate events with logged-on users and their sessions. I believe a good way to do that would be to leverage "login enforcement" using preconfigured login pages and logout pages. I believe those are the triggers for establishing and terminating sessions. Please correct me if I'm wrong.
The ASM isn't really responsible for establishing or terminating sessions between clients and your application; it won't be supplying session IDs/cookies, for example. The login page functionality is more about establishing a relationship between a login page and URL's that should only be reached after login, with an eye to preventing forceful browsing.
The ASM has some sort of internal state keeping mechanism, recording which sessions have passed through the login page and how long it has been since the login event (if a timeout is configured). If the session then attaches to the logout URL, that state record is cleared, and any further attempts to go to a protected URL will result in violations. I suspect all of this is transparent to the client and application.