1) You will need to update the "restrict access" server behavior and change the trigger from "form submit" to "before page load". Right now it wouldn't restrict access to the page unless they submit a form on it.
2) This might be because the user hasn't logged in yet. I'd have to see the code on the login page to be sure that the session variable is stored properly there.
3) This is by changing the logout server behavior trigger. You can use the "button pressed" trigger to logout only after a button is pressed.