The back button has always made "log out" buttons less than completely effective. The workarounds all have significant usability drawbacks, so only the most sensitive sites use them (and users hate them for it). * Force logged-in activities to happen in a new window, which JS can close. * Use "cache-control: no-store", which makes the site slow and broken even when you haven't logged out. * Do everything in one page, so no session history is created. * Break session history entirely upon log out, e.g. by loading a hundred pages in a row (see bug 639952). Bug 567365 comment 25 claims that Facebook does something like this. It would be better if sites could say "delete all session history entries for this site" when I log out.

Adding such an API would make it more palatable to fix bug 261312 and bug 639952.

There was "Cache Contexts" IETF draft: See http://my.opera.com/yngve/blog/2007/02/27/introducing-cache-contexts-or-why-the http://datatracker.ietf.org/doc/draft-pettersen-cache-context/ I don't know why the process has stalled (those drafts are currently expired) but the idea seems solid to me.