Would it be possible for another website user to accidentally be served the flash[:notice] of another person? I may just redirect_to the final screen and reread the data back from the database, but thinking about all this made me wonder how secure flash[:notice] really is.
The flash is just a convenience gateway to the session. So if you trust the session, you'll trust the flash. And the session is simply just a unique md5 string in a cookie on the client that gets shot across on every request, which the server uses to find the session row/file with. It's not a highly complicated system, so if you wanted to dig in to do your own verification, it shouldn't be that onerous.