1)When you are clicking on back button on browser you are getting previous page because of browser cache.
2)When you are clicking on any page after backing you are getting status 500 because there is null pointer exception because of session object is invalidate already.
3)When you refresh new request is going to your servlet or JSP, there your are calling request.getSession();
method, which is creating new session object for you.
as a result you are getting full access to all pages again.
To avoid this problem you can follow the below steps.
1)In the application create one servlet Ex:LoginCheckerServlet
2)for the above servlet give url pattern /*
3)So the servlet will be executed for all the request
4)Now in LoginCheckerServlet
check for username and password in request parameters
5)If they are coming perform login checking operation and display welcome page
6)If user name password are not coming, there are two meanings
i)user is already logged in
ii)user is trying to access your app illegally
7)Now call request.getSession(false);
method which will give you session object is there is session already existing for this user so you can redirect to welcome page with trust on user.
8)request.getSession(false);
will give you null value if there is no session existing for this user.
9)In case if you are not getting username and password in request parameters as well as request.getSession(false);
is giving you null value means user is trying to access your application without logging in, now you can happily display forbidden page.