Refs #27468 -- Made user sessions use SHA-256 algorithm.

docs/internals/deprecation.txt

@@ -57,6 +57,9 @@ details on these changes.
 * Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures
   (encoded with the SHA-1 algorithm) will be removed.
 
+* Support for the pre-Django 3.1 user sessions (that use the SHA-1 algorithm)
+  will be removed.
+
 * The ``get_request`` argument for
   ``django.utils.deprecation.MiddlewareMixin.__init__()`` will be required and
   won't accept ``None``.

docs/releases/3.1.txt

@@ -98,6 +98,10 @@ Minor features
 * The password reset mechanism now uses the SHA-256 hashing algorithm. Support
   for tokens that use the old hashing algorithm remains until Django 4.0.
 
+* :meth:`.AbstractBaseUser.get_session_auth_hash` now uses the SHA-256 hashing
+  algorithm. Support for user sessions that use the old hashing algorithm
+  remains until Django 4.0.
+
 :mod:`django.contrib.contenttypes`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

docs/topics/auth/customizing.txt

@@ -713,6 +713,10 @@ The following attributes and methods are available on any subclass of
         Returns an HMAC of the password field. Used for
         :ref:`session-invalidation-on-password-change`.
 
+        .. versionchanged:: 3.1
+
+            The hashing algorithm was changed to the SHA-256.
+
 :class:`~models.AbstractUser` subclasses :class:`~models.AbstractBaseUser`:
 
 .. class:: models.AbstractUser