I found out that the JSF 2.0 Flash scope is implemented in Mojarra 2.x via a cookie. What seems to happen is that when navigating from view A to view B using The Flash, JSF sends a redirect response. It is this same response that contains the set-cookie header.

As cookies are global for the browser, I wonder what the chances are that this leads to a race condition. As the cookie is set during the redirect response, I tried to find if the HTTP spec somehow guarantees that the request that the browser issues in response is always the first to utilize this cookie.

In general however, there might still be a problem if this first request is somehow stalled (since the Internet decided to route that particular request half way around the world), and then a second request originating from another tab arrives at the server first.

Isn't a cookie a terrible idea to use for a flash scope between two pages, or am I overlooking something and is it perfectly safe?

If there is resource, such as a file or, cookie... for sure, there will always be a chance to be a race condition. But you should investigate, how to avoid it.

I think the answer to have it perfectly save are EJB 3.0 We use EJB 3.0 because are transactional safe. In the same way we pass a request to an EJB to insert data in a database, you can interact with your flash scope using an EJB as a negociator. That way your transaction will be secured and that means you will be race conditon risk free.