I haven't done anything similar to what you are trying to do, but can't you just assign a filter iin your controller? Something like this

$this->beforeFilter('auth');

and in your filters.php

Route::filter('auth', function() {
	if (Auth::guest()) {
		return Redirect::guest('login');
	}
});

There isn't much you can do about people hitting back. it will load more than likely a cached version. they wont be able to actually do anything because all actions will go to routes that hopefully have auth filter on them.

They aren't logged in, but they are seeing a cached version of the page.

This work for me:

App::after(function ($request, $response) {
	/** @var $response Illuminate\Http\Response */
	$response->header("Cache-Control", "no-cache,no-store, must-revalidate");
	$response->header("Pragma", "no-cache");
	$response->header("Expires", " Sat, 26 Jul 1997 05:00:00 GMT");
});

how to encrypt apis in laravel with x-www-form-urlencode format