There is a J2ee Design Pattern which you can use to get rid of some/all of your problems.
I guess the pattern name is called "Token Syncronization". I am sorry I cannot recall exact name of the pattern.
This pattern is used to handle multiple form submissions. I guess this can be used for back button Issue.
This is how it works. Application should maintain a token (any unique number) in the user session. This value should also be maintained in the user interface as an hidden field. So, when user submits the form, from your Action class check if the value returned by the hidden field is same as the value in the user session. If both values match, then user is submitting that form for the first time. Soon after you check the value update the value in the user session. Now, when user clicks on back button and resubmits the form, the value that was sent by user does not match with the value in user session. In which case you may not process request or return error message to user saying request is already submitted.
If someone bookmark that page and later try to access that page, then check for the validity of the user session. If he has invalid session then redirect him to your login page.
If you can browse through sun web site you might find some example for this approach.
Hope this helps. Do let us know if you have a better solution to your problem.