Curious how others here would represent these in a REST architecture.

/users/login/
/users/logout/

These endpoints set up the session to login in the user, or clear it, respectively. My gut says POST, but I'm not in fact creating an object.

You should use POST - using GET for these actions can lead to issues with browser prefetching and search engine spidering. See (1, 2)

maybe CONNECT? MDN says:

The HTTP CONNECT method starts two-way communications with the requested resource. It can be used to open a tunnel.

as login means maintaining a session between browser and server, CONNECT method makes the most sense.