Description
It appears that ATS does not track session ID/session ticket expiration. This is the responsibility of the TLS server side implementation to not allow resumption of prior negotiated credentials after expiration. Because time/expiration is not tracked, the upper limit as to how long a bad guy has to compromise prior negotiated keys, may only be limited by cache eviction from heavy traffic flow. This situation effectively removes various factoring time limits, e.g. TLS FREAK attacks and others.
General TLS guidelines (e.g. RFC 5246, Sec F.1.4, and predecessors) suggest upper limits of 24 hours. NIST has an independent set of guidelines that may be more tailored to cipher suites. Actual time limit should be out of scope of implementation, and handled by the configuration, however ATS, should honor operator set time limit.
First pass would not allow session re-use after time expired of initial negotiations. Better implementation, would not only not allow, but would zero-out session credentials as soon as expiration time occurs, in stored master/session key.