When using standard J2EE authentication of a WAR file redirects fail to return the correct page.

Authentication proceeds as follows:
1. Request / -> server responds with login page.
2. Login ok -> server authenticates and sends 302 redirect
3. Follow redirect -> server responds with 'real' page.
4. Do some work...
5. Invalidate session to logout; send browser to / with javascript using window.location()
6. Request / -> server responds with login page.
7. Login ok -> server authenticates and sends 302 redirect
8. Follow redirect -> server responds with 304 -> browser renders last seen version of URL: login page.

The result of step 8 should be to display the 'real' page.
Refreshing the page (Ctrl-R) loads the 'real' page fine confirming authentication worked ok and that the browser is incorrectly using a cached copy.
The same behaviour is also seen in Google Chrome, although Internet explorer works as expected.

Possible cause?
-----------------------
I'm wondering if tomcat is getting confused with the If-Modified-Since or If-None-Match values on the requests? The requests made in steps 3 & 8 are identical (all headers the same).