Session is broken in some cases due to MYFACES-4297

The changes made for MYFACES-4297 introduced a problem: in some cases a session is not created early enough for a session cookie to be written out on a response before it is committed, due to the small default response buffer size.  As mentioned in the comments for 4297, that behavior causes a problem for the ViewScope (and I expect the session as well.) 

As discussed, increasing the javax.faces.FACELETS_BUFFER_SIZE is a workaround, but that's not ideal for a few reasons:
1. apps using the default buffer size value will be broken by the new behavior when updating to 2.3.5
2. there doesn't appear to be a way to update the buffer size for JSPs

We should consider revisiting the changes made in MYFACES-4297.  Or, if nothing else, we might want to add some way to change the default buffer size on the JSP path.