how to invalidate session in jsf 2.0 if browser get closed without being invalidating the current session.

You can’t do this programmatically in a reliable manner. The session will however automatically expire after 30 minutes. If you open a new browser, then a new session will be created and the previous session won’t be accessible anymore.

and don’t want my user to get assess to the restricted user pages by using back button.

You need to instruct the browser to not cache those restricted user pages. You can do this by creating a filter which is mapped on an URL pattern which covers those pages and does the following job in doFilter() method:

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpReq = (HttpServletRequest) request;
    HttpServletResponse httpRes = (HttpServletResponse) response;

    if (!httpReq.getRequestURI().startsWith(httpReq.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) { // Skip JSF resources (CSS/JS/Images/etc)
        httpRes.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        httpRes.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        httpRes.setDateHeader("Expires", 0); // Proxies.
    }

    chain.doFilter(request, response);
}

This way the browser is forced to send a full HTTP request everytime instead of showing the page from the browser cache.