The login page is likely been requested from the browser cache. Disable it by creating a Filter which is tied to the FacesServlet and has basically the following lines in the doFilter() method, so that you don't need to repeat it over all pages which you'd like to prevent from being cached.
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.
