Fix #5606: this one is a real Mojarra bug which only surfaced after CSP

backport, below is Claude's observation:

Under server-side state saving, ServerSideStateHelper.writeState calls
externalContext.getSession(true) at WriteBehindStateWriter.flushToWriter
time. If the rendered output already exceeds the response buffer (e.g.
the CSP backport in 4.0.17 emits an extra
<script>mojarra.ael(...)</script> per command, roughly doubling per-link
bytes), the response is committed before flushToWriter runs,
getSession(true) then fails with `IllegalStateException: Cannot create a
session after the response has been committed`, aborting the render
mid-form, so </form> and the jakarta.faces.ViewState hidden input never
reach the client.

FaceletViewHandlingStrategy already had a pre-render getSession() guard
for exactly this reason, but it was strict-equality on
STATE_SAVING_METHOD_SERVER, which disagreed with the helper-selection
rule in ResponseStateManagerImpl (anything not
STATE_SAVING_METHOD_CLIENT → ServerSideStateHelper). Configurations
where STATE_SAVING_METHOD is unset or contains an unresolved placeholder
(e.g. ${webapp.stateSavingMethod}) silently used the server helper but
skipped the pre-create.

Fix isServerStateSaving() to mirror the helper-selection rule
(!STATE_SAVING_METHOD_CLIENT.equalsIgnoreCase(...)), and tighten the
pre-create to only fire when actually needed: non-transient view, no
existing session, server-side state saving, and the view contains at
least one UIForm (verified via a short-circuit visitTree). This avoids
gratuitous session creation for plain pages that have no form and would
not write state anyway, which previously caused JSESSIONID URL rewriting
side-effects.

Fixes Issue1817IT regression introduced by the CSP backport.

Author: BalusC

impl/src/main/java/com/sun/faces/application/view/FaceletViewHandlingStrategy.java

@@ -42,7 +42,7 @@
 import static jakarta.faces.application.ProjectStage.Development;
 import static jakarta.faces.application.Resource.COMPONENT_RESOURCE_KEY;
 import static jakarta.faces.application.StateManager.IS_BUILDING_INITIAL_STATE;
-import static jakarta.faces.application.StateManager.STATE_SAVING_METHOD_SERVER;
+import static jakarta.faces.application.StateManager.STATE_SAVING_METHOD_CLIENT;
 import static jakarta.faces.application.ViewHandler.CHARACTER_ENCODING_KEY;
 import static jakarta.faces.application.ViewHandler.DEFAULT_FACELETS_SUFFIX;
 import static jakarta.faces.application.ViewVisitOption.RETURN_AS_MINIMAL_IMPLICIT_OUTCOME;
@@ -91,6 +91,7 @@
 import jakarta.faces.component.Doctype;
 import jakarta.faces.component.EditableValueHolder;
 import jakarta.faces.component.UIComponent;
+import jakarta.faces.component.UIForm;
 import jakarta.faces.component.UIPanel;
 import jakarta.faces.component.UIViewRoot;
 import jakarta.faces.component.html.HtmlDoctype;
@@ -410,7 +411,7 @@ public void renderView(FacesContext ctx, UIViewRoot viewToRender) throws IOExcep
              *
              * Note if you flag a view as transient then we won't acquire the session as you are stating it does not need one.
              */
-            if (isServerStateSaving() && !viewToRender.isTransient()) {
+            if (!viewToRender.isTransient() && extContext.getSession(false) == null && isServerStateSaving() && hasForm(ctx, viewToRender)) {
                 getSession(ctx);
             }
 
@@ -1834,11 +1835,7 @@ private void reapplyDynamicRemove(FacesContext context, ComponentStruct struct)
      * @return true if we are, false otherwise.
      */
     private boolean isServerStateSaving() {
-        if (STATE_SAVING_METHOD_SERVER.equals(webConfig.getOptionValue(StateSavingMethod))) {
-            return true;
-        }
-
-        return false;
+        return !STATE_SAVING_METHOD_CLIENT.equalsIgnoreCase(webConfig.getOptionValue(StateSavingMethod));
     }
 
     /**
@@ -1856,6 +1853,25 @@ private HttpSession getSession(FacesContext context) {
         return null;
     }
 
+    /**
+     * @return true if the view contains at least one {@link UIForm}, in which case state will be written and a session
+     * is needed under server-side state saving.
+     */
+    private static boolean hasForm(FacesContext context, UIViewRoot viewRoot) {
+        if (viewRoot == null || viewRoot.getChildCount() == 0) {
+            return false;
+        }
+        boolean[] found = { false };
+        viewRoot.visitTree(VisitContext.createVisitContext(context), (visitContext, target) -> {
+            if (target instanceof UIForm) {
+                found[0] = true;
+                return VisitResult.COMPLETE;
+            }
+            return VisitResult.ACCEPT;
+        });
+        return found[0];
+    }
+
     /**
      * Gets and if needed initializes the faceletFactory
      *