If you log into a secure area, navigate around, log out and then hit the back button, you'll see secure pages.
To get around this you can add response headers to expire the page.
<cfheader name="Expires" value="#GetHTTPTimeString(Now())#"> <cfheader name="Pragma" value="no-cache"> <cfheader name="cache-control" value="no-cache, no-store, must-revalidate">
The downside being that there is less caching and more requests to the server, but for a secure area this seems like a nice trade-off.
Thanks to Rich Cooper for the code snippet.