You don’t need to do it manually. The servletcontainer will do it for you. You can access the tracked session by HttpServletRequest#getSession(). All you need to do is to put the logged-in user as a session attribute.

request.getSession().setAttribute("user", user);

Let the rest of your code intercept on that. You usually use a Filter for this.

if (request.getSession().getAttribute("user") == null) {
    // Not logged in. Redirect to login page.
    response.sendRedirect("login.jsp");
} else {
    // Logged in. Just continue request.
    chain.doFilter(request, response);
}

When you invoke the logout, just remove the user from the session.

request.getSession().removeAttribute("user");

The servletcontainer will manage the session expiration as well. When it expires, then the HttpSession will simply be trashed, including all of its attribtues.

As to the back button question, just instruct the client to not cache the response so that it’s forced to fire a brand new request which would then be passed through the Filter. This client instruction needs to happen by setting the response headers accordingly. That could be done in a Filter as well.

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.