If they are pressing the back button, you can't do a server-side check for the variable since the broswer is using cached version of your page, so no postback is made. You could most add an Ajax call in that page, which would run when the page is loaded, since that should be called during this kind of situation and redirect them to the page saying their session has expired.
To do what I just described, add a RadAjaxManager control on the page and then use its ajaxRequest client-side method to make an ajax call. In the code-behind handle the AjaxRequest event and redirect them if the session doesn't exist.
So something like this:
sender, AjaxRequestEventArgs e)
// check session code goes here
// redirect user if it fails
I hope that helps.