While running a security application, user refreshed the page. The page shows session expired and shows a link for login. Is the application secure?

Refreshing a page which performs a postback , it can expire the session again depending on what action you performed , best would be to not allow the same action and inform the user that transaction is completed.

If it is expiring the session for GET requests , I would say it's overdoing security. Reasons being we can't assume that the browser and server will always go hand in hand . So most of the times network latency (delay) or not found people will refresh the page , so a site should expect refreshes.