I found the following methods in Action.java which I think may help to control the session ID. That means if the user submits the page and press the back button and submit the page again it will throw an error.
Before going to a page you want to protect, route to an Action first and call SaveToken. This stores a token with a unique value in the user's session.
If the page uses the html:form tag, it will automatically include a hidden field with the token if it finds one in the session.