Fixed #23957 -- Started deprecation toward requiring session verification.

Thanks Carl Meyer for review.

docs/releases/1.8.txt

@@ -1158,6 +1158,21 @@ The default value of the
 :attr:`RedirectView.permanent <django.views.generic.base.RedirectView.permanent>`
 attribute will change from ``True`` to ``False`` in Django 1.9.
 
+Using ``AuthenticationMiddleware`` without ``SessionAuthenticationMiddleware``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+:class:`django.contrib.auth.middleware.SessionAuthenticationMiddleware` was
+added in Django 1.7. In Django 1.7.2, its functionality was moved to
+``auth.get_user()`` and, for backwards compatibility, enabled only if
+``'django.contrib.auth.middleware.SessionAuthenticationMiddleware'`` appears in
+:setting:`MIDDLEWARE_CLASSES`.
+
+In Django 2.0, session verification will be enabled regardless of whether or not
+``SessionAuthenticationMiddleware`` is enabled (at which point
+``SessionAuthenticationMiddleware`` will have no significance). You can add it
+to your ``MIDDLEWARE_CLASSES`` sometime before then to opt-in. Please read the
+:ref:`upgrade considerations <session-invalidation-on-password-change>` first.
+
 .. removed-features-1.8:
 
 Features removed in 1.8