Following the improvements done in:
MYFACES-3117 Current server state saving implementation prevents multi-window usage
Which included also:
MYFACES-3134 Move all code related to state caching into one place
MYFACES-3137 Align ResponseStateManager implementation with the spec
MYFACES-3138 Simplify ResponseStateManager implementation code
It is possible to improve this part a lot more. The are some parts of the code that works fine but are too old and are not very well understood. I think it is reasonable to review this part in deep. Note this could suppose some changes in ServerSideStateCacheImpl, and other related classes.
Our PSS algorithm is very good, but these changes are more related to the logic involved in save/restore the state for both modes client side and server side state saving.
It is possible to imagine a "mixed" strategy between client side and server side state saving that could reduce the session size and in that way, achieve an even better scalability. Also, it is possible to imagine way to secure the token sent in the view when server side state saving is used using a random number, allowing to disable encryption in such cases.