One thing that you need to be careful to do, upon logout, is to break the user’s Back-button sequence.   You should be able to do this by sending him a redirect.

As others have suggested, it really helps to use a Perl framework that’s designed to do as much of the overall work as possible.   For example, http://www.cgi-app.org/index.cgi?LoginLogoutExampleApp has a complete example of a tiny CGI::Application site ...   It is fairly uncommon to see folks these days using CGI::Session directly.

The trouble is that Back will often hand you a cached copy of a previously displayed page.   But, the server is no longer in-sync with what it says:   the server now thinks that you have logged off, and, if you actually try to do anything with the cached page, you’ll discover that you have.   If you look at things using the debugger that’s built into your web browser, you’ll probably found that the web client didn’t send anything to the host when you pressed Back and it (merely) redisplayed the page.   You’ll probably find that you can go Back and Forward and see that, as you do, nothing new is being sent to the host.