id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23957	Start a deprecation path toward requiring session verification	Tim Graham	Tim Graham	"From Carl in comments of #23939: ""Is there a use case for a long-term simple way to disable this behavior? Or is it just a way to preserve sessions across the upgrade that we need? I think we should be on a deprecation path to making [session verification] always-on; I think it's fine if you have to write your own `AuthenticationMiddleware` if you don't want it.""

As far as I know, the only-use case for disabling it was to provide an upgrade path.

The deprecation path could look like this:

1.8: Raise `RemovedInDjango20Warning` if `AuthenticationMiddleware` but not `SessionAuthenticationMiddleware` is in `MIDDLEWARE_CLASSES` (because session verification will be mandatory in 2.0)
2.0:  It's now safe to remove `SessionAuthenticationMiddleware` from `MIDDLEWARE_CLASSES` since the behavior can't be turned off. Raise `RemovedInDjango22Warning` if it's there so we can eventually remove the class."	Cleanup/optimization	closed	contrib.auth	dev	Normal	fixed			Accepted	1	0	0	0	0	0