Personally I strongly disagree with putting transient information on the Session object.
The first reason is that sessions are generally pretty heavy and you end up packing it with extra data that sits on the server if the session isn't invalidated or until the server cleans it up.
Secondly it can cause unexpected application behaviour if the client uses the back button or jumps several pages backwards.
Which app server are you using? It might be a bug in their implementation of setAttribute()