docs: update stateful resumption doc (aws#4818)

Co-authored-by: Lindsay Stewart <stewart.r.lindsay@gmail.com>

docs/usage-guide/topics/ch11-resumption.md

@@ -25,6 +25,8 @@ Servers should set the three caching callback functions: `s2n_config_set_cache_s
 
 Clients should call `s2n_connection_get_session()` to retrieve some serialized state about the session. Then `s2n_connection_set_session()` should be called with that saved state when attempting to resume a new connection.
 
+The `cache_delete_callback` is called when a connection encounters a fatal error. This allows a server to delete a potentially corrupted or faulty session from its cache. Because an unexpected end-of-stream is considered a fatal error, an application should ensure that it performs a graceful TLS shutdown when using session caching. For more information on how to close connections, see [Closing the Connection](./ch07-io.md#closing-the-connection).
+
 ## Session Resumption in TLS1.2 and TLS1.3
 
 In TLS1.2, session ticket messages are sent during the handshake and are automatically received as part of calling `s2n_negotiate()`. They will be available as soon as negotiation is complete.

tls/s2n_recv.c

@@ -206,7 +206,11 @@ ssize_t s2n_recv_impl(struct s2n_connection *conn, void *buf, ssize_t size_signe
                 break;
             }
 
-            /* If we get here, it's an error condition */
+            /* If we get here, it's an error condition. 
+             * For stateful resumption, invalidate the session on error to prevent resumption with 
+             * potentially corrupted session state. This ensures that a bad session state does not 
+             * lead to repeated failures during resumption attempts.
+             */
             if (s2n_errno != S2N_ERR_IO_BLOCKED && s2n_allowed_to_cache_connection(conn) && conn->session_id_len) {
                 conn->config->cache_delete(conn, conn->config->cache_delete_data, conn->session_id, conn->session_id_len);
             }