When using the FederatedPassiveSecurityTokenServiceOperations class from within our custom STS (ASP.NET MVC 4 site), the ProcessRequest() method correctly handles the incoming WS-FED login and spits out the passive HTML form that auto-POST's to the relying party. However, it seems that the Cache-Control header of this form is set to "Private", which is allowing browsers to cache this bootstrap form. In short, after logging out, if you click the "back" button enough times to land on that form again, it will indeed auto-POST and instantiate a new session with the RP.
We've noticed we can set the Cache-Control header _before_ calling this method to declare no-cache/no-store, but it seems that due to the nature of the content the framework should either a) be doing this automatically, or b) allow it to be specified.
Bug or feature?