I have a session variable that keeps track of a user name and is set through a login page. Every page in the application first checks for the session variable and redirects to the login page if empty. I have a log out button that calls session.abandon and redirects to the home page. If the user logs out, then clicks the back button on the browser, it seems like session variables still exist. However, if the user logs out, then manually types in the address of one of the pages, it correctly redirects the user to the login page.
Since the back button brings the page from the local browser’s cache, it does not run your session login check code again. So the user can access it. To prevent this, you can make sure the browser does not cache your pages. You can do this by providing some META tags. However, all your pages will need to be treated this way, making the browser fetch pages each and every time from your site. Check out the pros and cons before deciding.