First of all, implement the filter which looks for the active session whenever some one tries to access the user pages, in that case even if browser goes to last page after logout using back button, the user can't do anything as he/she will be redirected to login page.
To directly answer your question:
disable back button after logout
One clean Code note:
HttpSession ls = request.getSession(false);
'ls' doesn't sound good for session variable name, may be, umm, you can use more intrigued one, like "session"