I think there are two takeaways from this

1. A timely reminder nothing is perfectly secure

2. Don't use session tickets. Store nothing on the client except a random key. You will cock it up.