There is a (partial) answer to your question in the
original post you made in JSP...
Piyush links you to an article describing how to turn off page caching. It's a known 'difficulty' to get all browsers to behave properly, and IE seems to be the bad-guy in most cases, but this is your best option.
Let's imagine a sequence of pages: page1, page2, page3, page4. As a real-world example, lets say that pages 1-3 are a wizard (a bunch of forms) and page4 logs you out of the application. There is just *no* way to determine if a user's request for page3 was because they clicked on the link or submit button on page2, or if they used the browser's back button from page4.
The difficulty is this: the browser either caches the page, and so a 'back button' doesn't actually hit the server-side again, or the browser will re-submit the original request, and so a back-button from page4 to page3 looks to the server like a request from page2 to page3.
Solution:
implement the no-cache strategy to force each request to hit the server side, thus ensuring you can make 'state' checks.
The second half of this is: On *every* single request, check to see if they are logged in (if their session is valid). If page4 invalidates their session (it logs them out) and they make a request for any other page, including by means of using the back button, then the fact they are logged out can be caught, and they will re-direct to a login page.
[ July 11, 2002: Message edited by: Mike Curwen ]