From 401c5b2e42bf9134d9221f446765dd0777306f0b Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Sat, 31 Dec 2016 13:58:42 -0500
Subject: [PATCH] Refs #23957 -- Removed the useless
 SessionAuthenticationMiddleware.

---
 django/contrib/auth/middleware.py | 13 -------------
 docs/releases/2.0.txt             |  4 +++-
 docs/topics/auth/default.txt      |  9 ---------
 3 files changed, 3 insertions(+), 23 deletions(-)

diff --git a/django/contrib/auth/middleware.py b/django/contrib/auth/middleware.py
index f179894e73..f39a17bb9c 100644
--- a/django/contrib/auth/middleware.py
+++ b/django/contrib/auth/middleware.py
@@ -24,19 +24,6 @@ class AuthenticationMiddleware(MiddlewareMixin):
         request.user = SimpleLazyObject(lambda: get_user(request))
 
 
-class SessionAuthenticationMiddleware(MiddlewareMixin):
-    """
-    Formerly, a middleware for invalidating a user's sessions that don't
-    correspond to the user's current session authentication hash. However, it
-    caused the "Vary: Cookie" header on all responses.
-
-    It's now a shim to allow a single settings file to more easily support
-    multiple versions of Django. Will be RemovedInDjango20Warning.
-    """
-    def process_request(self, request):
-        pass
-
-
 class RemoteUserMiddleware(MiddlewareMixin):
     """
     Middleware for utilizing Web-server-provided authentication.
diff --git a/docs/releases/2.0.txt b/docs/releases/2.0.txt
index ec5e0aada9..3ae58ed858 100644
--- a/docs/releases/2.0.txt
+++ b/docs/releases/2.0.txt
@@ -212,7 +212,9 @@ Database backend API
 Miscellaneous
 -------------
 
-* ...
+* The ``SessionAuthenticationMiddleware`` class is removed. It provided no
+  functionality since session authentication is unconditionally enabled in
+  Django 1.10.
 
 .. _deprecated-features-2.0:
 
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 5869ff0d30..b1f111c092 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -824,15 +824,6 @@ user to the login page or issue an HTTP 403 Forbidden response.
 Session invalidation on password change
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-.. versionchanged:: 1.10
-
-    Session verification is enabled and mandatory in Django 1.10 (there's no
-    way to disable it) regardless of whether or not
-    ``SessionAuthenticationMiddleware`` is enabled. In older
-    versions, this protection only applies if
-    ``django.contrib.auth.middleware.SessionAuthenticationMiddleware``
-    is enabled in :setting:`MIDDLEWARE`.
-
 If your :setting:`AUTH_USER_MODEL` inherits from
 :class:`~django.contrib.auth.models.AbstractBaseUser` or implements its own
 :meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()`