After post is setting a value in JSF2 flash scope, it is visible again on second GET request to a page (Flash scope considered harmful)

I tested new Flash scope in JSF2 but I found a major issue with it or I am lacking some knowledge.

Having a page:

<h:body>
    Value in flash: #{flash.text}
    <h:form>    
         <h:inputText value="#{flash.text}" />
         <h:commandButton value="Test" /> <!-- Same behavior with faces redirect -->
    </h:form>
</h:body>

I have a scenario:

• Put a value 'foo' and click Test
• I get 'Value in flash: foo'
• I open new page with the same adress
• I get 'Value in flash:'
• I open another new page with the same adress
• I get 'Value in flash: foo' <- IMHO this is wrong!

Reproducibility: 100% Tested on Glassfish 3.1 and JBoss AS 7

Different problem with probably same reason: Removing JSF messages from the flas开发者_运维知识库h

So:

• Is it desired behavior of JSF2 flash?
• Based on this and other noticed problems with flash, shoud the reference flash implementation be considered harmful?

I think for now the implementation of The Flash should be considered harmful indeed. In the application I'm working on day to day I had a very good use case for it, but unfortunately The Flash just appeared to be unusable.

The main problem is that the cookie which is used to transfer a pointer to the state isn't cleared, see Flash scoped message lives longer than next request.

There also seems to be a security problem with the flash scope, see Flash scope cookie enables data exploits.

If any of this bothers you, please vote for the linked issues ;)