You don't want an expires header, you'll be wanting a "Pragma: no-cache" header and "Cache-control: no-cache" header (to catch HTTP/1.0 and HTTP/1.1 client and caches)

When specified, every request will be revalidated at the server, so, if you've destroyed your session object there, you'll want to tell the user to log in again...