As currently implemented, MyFaces can attempt to create a new session after the response has been committed. This is due to calling saveSerializedView on the JspStateManagerImpl even in cases where writeState was never called (e.g. a JSP outcome target with no form tags). This can lead to either an IllegalStateException being thrown or else extra sessions being created which wait until the session timeout is reached to be destroyed and thus can lead to a potential memory leak. Which behavior is seen depends on the appserver being used and whether it reuses session cookies for the same client.
JSPStateManagerImpl will be updated to set a FacesContext attribute on writeState to indicate that the state should be written by saveSerializedView.
On 2.0, FlashImpl also needs to be updated as well to not create a new session during the remove children operation. Currently we are creating a new session just to create a new map and then clear it.