This is what I have tried from Python/tornadoweb:

    self.set_header("Cache-Control","no-cache, must-revalidate, max-age=0")
    self.set_header("Expires","Mon, 26 Jul 1997 05:00:00 GMT")

This is what I see from firebug when I first load the page:

Cache-Control   no-cache, must-revalidate, max-age=0
Content-Length  1715
Content-Type    text/html; charset=UTF-8
Etag    "e55dc7115d80aa09b470510ababb3515706f4a61"
Expires Mon, 26 Jul 1997 05:00:00 GMT
Server  TornadoServer/2.3
Set-Cookie  xsfr=5b7f3cf86c2e4537acd1bb1749484a5b; Path=/

And yet, when I press BACK button to go back to the original URL, I get a cached version of the page! The page is not re-fetched from the server. The result is that it contains invalid hidden form values. No matter how the user fills in the form, it cannot be processed.

The problem can be reproduced on firefox and chrome, but not from internet explorer.

So, how to force firefox and chrome to disable the cache and reload the page whenever the back button is pressed?

I don't know if you solved this issue or not, but I faced the same issue last night. This answer helped me to some extent. I solved it by setting the header and clearing the user cookie.

Here's a gist of what I did :

class BaseHandler(tornado.web.RequestHandler):

    def set_default_headers(self):
        self.set_header('Cache-Control', 'no-cache, no-store, must-revalidate')
        self.set_header('Pragma', 'no-cache')
        self.set_header('Expires', '0')

Now the SignOut handler :

class SignOut(BaseHandler):

    def get(self):
        self.clear_cookie("user")
        self.redirect('/')

"user" is the name of the cookie set.