The same problem we had in
MYFACES-3936 happens for Faces Flows.
Faces Flow scope is bound to the client window and to the flow id. The problem is since there is no expiration strategy per client window, once a faces flow bean is create it is not expired unless you end the flow manually or the session expires.
The solution is similar to the solution we did in
MYFACES-3936: use an LRUMap with the client windows and a list of the active flow scopes ids, so when the client window is discarded, the flow scope asociated to the client window is destroyed too.
Please note there is nothing in JSF spec that says so, it is not a bug, but it is a matter of consistency. We want to keep the session size as small as possible, and we already have done things in our algorithm like destroy view scopes when a view is discarded when server side state saving is used. The cleanup strategy adds a small overhead in session, because we need to add the mapping between client windows and flow scope ids, but the advantage is with this we can set a limit about how big the session object can be.
The idea is create a config param like org.apache.myfaces.NUMBER_OF_CLIENT_WINDOW_FLOW_ID_TOKENS_IN_SESSION to limit the number of valid tokens and use org.apache.myfaces.NUMBER_OF_VIEWS_IN_SESSION or org.apache.myfaces.NUMBER_OF_SEQUENTIAL_VIEWS_IN_SESSION