Back- and forward-navigation between 'secure' pages will only be restricted after logging out if you have specify the page property login-required="true" for those pages you do not want the browser to cache in memory. For example (in pages.xml): | <page view-id="/homepage.xhtml" login-required="true"> | ... | </page> | If you log-out from a page (or pages) that does(do) not have this attribute set to true you will be able to navigate back and forth which is the correct behaviour IMHO. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4055671#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...