all session data (flash is just a "modified session var") is stored on the server. The only thing stored client side (unless you specificly set it) is the session id and a session key to validate the user.
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks