zf2: byjAuthorise ACL module — security flaw or config issue?

[rast]

I have just downloaded the ZF-Commons module 'bjyAuthorise' and have just got it working using a derivation of the basic congfig suggested on github website. https://github.com/bjyoungblood/BjyAuthorizeThis seems to be working fine, I get access to the files I expect and get a '403 Forbidden' notice if I click on resources I have yet to define or that hold elevated access rights. However, if I visit another website then click the back button, the ACL fails and I get full access to the denied page. If I click a link from the site (i.e. on the navbar), I once again get the 403. This seems strange, but then I am new to the module, so probably just a config issue. I have configured the database to have two roles, user and guest, guest is a parent or guest. My config looks like this: \[code\]'bjyauthorize' => array( 'default_role' => 'guest', 'identity_provider' => 'BjyAuthorize\Provider\Identity\ZfcUserZendDb', 'unauthorized_strategy' => 'BjyAuthorize\View\UnauthorizedStrategy', 'role_providers' => array( 'BjyAuthorize\Provider\Role\ZendDb' => array( 'table' => 'user_role', 'role_id_field' => 'role_id', 'parent_role_field' => 'parent', ), ), 'resource_providers' => array( 'BjyAuthorize\Provider\Resource\Config' => array( ), ), 'rule_providers' => array( ), 'guards' => array( 'BjyAuthorize\Guard\Route' => array( // Below is the default index action used by the [ZendSkeletonApplication](https://github.com/zendframework/ZendSkeletonApplication) array('route' => 'home', 'roles' => array('guest')), array('route' => 'zfcuser/logout', 'roles' => array('user')), array('route' => 'zfcuser/login', 'roles' => array('guest')), array('route' => 'zfcuser/register', 'roles' => array('guest')), ), ),),\[/code\]