I implemented a sevlet filter in my application, and within the filter, if I find some specific url pattern, I will use request.getSession().invalidate() to logout and clear the session, then redirect to a login page.
The session is a server-side concept. The browser only hold a jsessionid to tell the server which session object to fetch for this request.
That said, your problem is not IE. And even if it is, it is some sort of caching the you are facing. Clear your cache. You can set these response headers:
Cache-Control: no-cache, no-store Pragma: no-cache