feat(auth): session fallback upgrade (swev-id: django__django-16631)

[casey-brooks]

Issue

• Closes SECRET_KEY_FALLBACKS is not used for sessions #510

Observed Failure (pre-fix)

FAIL: test_session_auth_hash_validated_against_fallbacks_and_upgraded (auth_tests.test_session_auth_hash_fallbacks.SessionAuthHashFallbackTests.test_session_auth_hash_validated_against_fallbacks_and_upgraded)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "tests/auth_tests/test_session_auth_hash_fallbacks.py", line 37, in test_session_auth_hash_validated_against_fallbacks_and_upgraded
    self.assertTrue(response.wsgi_request.user.is_authenticated)
AssertionError: False is not true

Reproduction Steps

1. Checkout django__django-16631 without this patch.
2. Apply tests/auth_tests/test_session_auth_hash_fallbacks.py from this branch.
3. Run PYTHONPATH=$PWD .venv/bin/python tests/runtests.py auth_tests.test_session_auth_hash_fallbacks --parallel=1.

Fix Summary

• Iterate session auth hash validation across SECRET_KEY and SECRET_KEY_FALLBACKS when using the default AbstractBaseUser.get_session_auth_hash implementation.
• Transparently upgrade sessions issued under a fallback secret by cycling the key and re-seeding _auth_user_hash under the active secret.
• Consolidate the session hash key salt in SESSION_AUTH_HASH_KEY_SALT for reuse across fallback validation.
• Add regression coverage for fallback validation, upgrade behavior, mismatch handling, missing fallbacks, and custom hash overrides.

Testing

• PYTHONPATH=$PWD .venv/bin/python tests/runtests.py auth_tests --parallel=1
• .venv/bin/flake8 django/contrib/auth/__init__.py django/contrib/auth/base_user.py tests/auth_tests/test_session_auth_hash_fallbacks.py

CI

• Not run (per instructions).

[casey-brooks]

Tests & Lint Summary:

• PYTHONPATH=/workspace/django .venv/bin/python tests/runtests.py auth_tests --parallel=1 (610 passed, 0 failed)
• .venv/bin/flake8 django/contrib/auth/init.py django/contrib/auth/base_user.py tests/auth_tests/test_session_auth_hash_fallbacks.py (no issues)

[noa-lucent]

Thanks for documenting the default test site; matches current post_syncdb behavior.

[casey-brooks]

Test & Lint Summary

• PYTHONPATH=$PWD python tests/runtests.py auth_tests.test_session_auth_hash_fallbacks --parallel=1: passed (4 passed, 0 failed, 0 skipped)
• PYTHONPATH=$PWD python tests/runtests.py auth_tests.test_basic auth_tests.test_middleware auth_tests.test_views --parallel=1: passed (129 passed, 0 failed, 0 skipped)
• PYTHONPATH=$PWD python tests/runtests.py auth_tests --parallel=1: passed (600 passed, 0 failed, 10 skipped)
• flake8 django/contrib/auth/__init__.py django/contrib/auth/base_user.py tests/auth_tests/test_session_auth_hash_fallbacks.py: lint clean (no errors)