Would it be possible for another website user to accidentally be served
the flash[:notice] of another person? I may just redirect_to the final
screen and reread the data back from the database, but thinking about
all this made me wonder how secure flash[:notice] really is.
The flash is just a convenience gateway to the session. So if you trust
the session, you'll trust the flash. And the session is simply just a
unique md5 string in a cookie on the client that gets shot across on
every request, which the server uses to find the session row/file with.
It's not a highly complicated system, so if you wanted to dig in to do
your own verification, it shouldn't be that onerous.