Session resumption & tickets
TLS session resumption lets a returning client skip the full handshake. Two mechanisms exist: a server-side **session cache** (the server stores state, keyed by an ID) and **session tickets** (the server encrypts the state and hands it to the client). Tickets are convenient but, if the ticket-encryption key is long-lived, they undermine forward secrecy — a single key compromise can decrypt many past sessions. The safe default used here disables tickets (ssl_session_tickets off) and relies on a short-lived session cache. If you must enable tickets for performance, rotate the key frequently.