[4.1.x] Fixed #34384 -- Fixed session validation when rotation secret keys.

Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7. Thanks Eric Zarowny for the report. Backport of 2396933ca99c6bfb53bda9e53968760316646e01 from main
author: David Wobrock <david.wobrock@gmail.com> 2023-03-06 16:18:03 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-03-08 11:33:47 +0100
commit: ba1654cb54eccef3ba29e455cd5065aed84e1f90 (patch)
tree: 5602ec76c309515ea07cbfc99b0b1035d044f8c1 /docs/ref
parent: ff3e3eb2bd6c259807e5409a8e7299d00a42687e (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/docs/ref/contrib/auth.txt b/docs/ref/contrib/auth.txt
index abcf3905c9..2996ac788c 100644
--- a/docs/ref/contrib/auth.txt
+++ b/docs/ref/contrib/auth.txt
@@ -699,10 +699,17 @@ Utility functions
     ``get_user()`` method to retrieve the user model instance and then verifies
     the session by calling the user model's
     :meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash`
-    method.
+    method. If the verification fails and :setting:`SECRET_KEY_FALLBACKS` are
+    provided, it verifies the session against each fallback key using
+    :meth:`~django.contrib.auth.models.AbstractBaseUser.\
+    get_session_auth_fallback_hash`.
 
     Returns an instance of :class:`~django.contrib.auth.models.AnonymousUser`
     if the authentication backend stored in the session is no longer in
     :setting:`AUTHENTICATION_BACKENDS`, if a user isn't returned by the
     backend's ``get_user()`` method, or if the session auth hash doesn't
     validate.
+
+    .. versionchanged:: 4.1.8
+
+        Fallback verification with :setting:`SECRET_KEY_FALLBACKS` was added.
author	David Wobrock <david.wobrock@gmail.com>	2023-03-06 16:18:03 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-03-08 11:33:47 +0100
commit	ba1654cb54eccef3ba29e455cd5065aed84e1f90 (patch)
tree	5602ec76c309515ea07cbfc99b0b1035d044f8c1 /docs/ref
parent	ff3e3eb2bd6c259807e5409a8e7299d00a42687e (diff)