Disclaimer: this might not work in a future version, and I recommend against this kind of workarounds
A quick work around for the refresh: After destroying the users sessions, you could open a new form with a URL redirector (available in the appstore) and redirect to your login page.
update: another solution might be
put a HTML Snippet in your form with the following contents:
<button value="Cancel" onclick="javascript:dojo.cookie('XASSESSIONID', null, {expires: -1});window.location.reload();"/>
This will remove the flash, but you need to style the button, and pressing the 'X' in the popup will still cancel the whole process.
It works with the url redirector. But I'm sure our customer will be not satisfied about the pop up which is loaded for less then a second. But our customer has to be satisfied with it, because there is no other option.