Have a look at Sandeeps' article which describes the browser issue
Browser back button issue after logout[
^]
As Christian has said, you need to set the pages you don't want the user to be able to navigate to after the session has expired to not be cacheable
Imagine the scenario - you're on a page that requires a session. You go to lunch and the session expires. When you come back, the page is still visible but when you try to do anything you will be directed to the authentication page with a 'return URL' that is the page you were redirected from. You authenticate again, acquire a new session and are redirected to the 'return URL'
If you tried to click back in this scenario, by marking pages as not cacheable you would still be directed to the authentication page. Again, as Christian has said - code will only run when you instruct it to by having the page make an HTTP request (e.g. a postback). You could have fancy javascript running that polls for a valid session and redirects you when it can't find one, but I don't see the point in this. The above scenario is 'expected behaviour' for me