minor #5664 Info about implicit session start (ThomasLandauer)

This PR was submitted for the 2.7 branch but it was merged into the 2.3 branch instead (closes #5664).

Discussion
----------

Info about implicit session start

This should be explained *somewhere* (took me a while to figure it out). If this is not the right place (or format), please go ahead and correct it!

Commits
-------

662bb01 Info about implicit session start

Author: xabbuh

book/forms.rst

@@ -1783,6 +1783,11 @@ The ``_token`` field is a hidden field and will be automatically rendered
 if you include the ``form_end()`` function in your template, which ensures
 that all un-rendered fields are output.
 
+.. caution::
+
+    Since the token is stored in the session, a session is started automatically
+    as soon as you render a form with CSRF protection.
+
 The CSRF token can be customized on a form-by-form basis. For example::
 
     use Symfony\Component\OptionsResolver\OptionsResolverInterface;