Aha! One of the oldest problems around. Not strictly a
Java server problem, though, except for the obvious need to ensure that the user truly logged out and the session was destroyed.
There are at least 3 different ways to turn off client-side caching, depending on the version and manufacturer of the browser, including the meta tags Cache-Control, Pragma (no-cache) and the response.setHeader() functions (It also doesn't hurt to make the page expired). Ideally, there should be an appserver method to do all these things at one go, but if there is one, I missed it. I think that there are some JavaBeans that will help you, though - check out alphaworks.ibm.com, for instance.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.