diff --git a/core/lib/Drupal/Core/Authentication/AuthenticationManager.php b/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
index dc1da08..40e1d98 100644
--- a/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
+++ b/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
@@ -27,10 +27,21 @@ class AuthenticationManager implements AuthenticationProviderInterface {
   protected $triggered_provider = '';
 
   /**
+   * Fallback provider.
+   *
+   * The provider to use if no other provider feels responsible.
+   *
+   * @var string
+   */
+  protected $fallbackProvider = 'authentication.cookie';
+
+  /**
    * Add provider to the array of registered providers.
    *
-   * @param $provider_id
+   * @param string $provider_id
+   *   Identifier of the provider.
    * @param AuthenticationProviderInterface $provider
+   *   The provider object.
    */
   public function addProvider($provider_id, AuthenticationProviderInterface $provider) {
     $this->providers[$provider_id] = $provider;
@@ -43,26 +54,35 @@ public function addProvider($provider_id, AuthenticationProviderInterface $provi
    *   Throws exception in case two authentication providers had credentials.
    */
   public function authenticate(Request $request) {
+    global $user;
 
-    foreach ($this->providers as $provider_id => $provider) {
-      $result = $provider->authenticate($request);
+    // Prevent the fallback provider to not be executed before any other
+    // provider.
+    $providers = $this->providers;
+    unset($providers[$this->fallbackProvider]);
 
-      if ($result !== NULL) {
+    foreach ($providers as $provider_id => $provider) {
+      $account = $provider->authenticate($request);
+
+      if ($account !== NULL) {
         // We do not allow request to have information to authenticate
         // with two methods at the same time.
         if (!empty($this->triggered_provider)) {
           throw new BadRequestHttpException(t('Multiple authentication methods are not allowed.'));
         }
         $this->triggered_provider = $provider_id;
+        $user = $account;
       }
     }
 
-    // Cookie provider initialize anonymous user by default, so if no other providers
-    // authenticated request we treat it as authenticated by cookie.
+    // If now other authentication provider feels responsible, use the fallback.
     if (empty($this->triggered_provider)) {
-      $this->triggered_provider = 'authentication.cookie';
+      $user = $this->triggered_provider = $this->fallbackProvider;
+      $this->providers[$this->fallbackProvider]->authenticate($request);
     }
-    // Save id of provider to request so it is checked in AuthenticationProviderAccessCheck.
+
+    // Save id of provider to request so it is checked in
+    // AuthenticationProviderAccessCheck.
     $request->attributes->set('_authentication_provider', substr($this->triggered_provider, strlen('authentication.')));
   }
 
@@ -70,6 +90,7 @@ public function authenticate(Request $request) {
    * Does clean up by running cleanup() of provider that authenticated the user.
    *
    * @param Request $request
+   *   The request object.
    */
   public function cleanup(Request $request) {
     if (empty($this->triggered_provider)) {
diff --git a/core/lib/Drupal/Core/Authentication/AuthenticationProviderInterface.php b/core/lib/Drupal/Core/Authentication/AuthenticationProviderInterface.php
index a44a210..f9f0261 100644
--- a/core/lib/Drupal/Core/Authentication/AuthenticationProviderInterface.php
+++ b/core/lib/Drupal/Core/Authentication/AuthenticationProviderInterface.php
@@ -20,9 +20,10 @@
    * This method called early on KernelEvents::REQUEST event.
    *
    * @param Request $request
+   *   The request object.
    *
-   * @return mixed
-   *   TRUE - in case we authenticated user
+   * @return Drupal\Core\Session\AccountInterface|FALSE|NULL
+   *   AccountInterface - in case we authenticated user
    *   FALSE - in case we had credentials for authentication but user failed
    *   NULL - no authentication credentials were found in request
    */
@@ -34,8 +35,7 @@ public function authenticate(Request $request);
    * This method called late on KernelEvents::RESPONSE event.
    *
    * @param Request $request
-   *
-   * @return mixed
+   *   The request object.
    */
   public function cleanup(Request $request);
 }
diff --git a/core/lib/Drupal/Core/Authentication/Provider/Cookie.php b/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
index 57e33f9..bf9eb09 100644
--- a/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
+++ b/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
@@ -19,11 +19,10 @@ class Cookie implements AuthenticationProviderInterface {
    * {@inheritdoc}
    */
   public function authenticate(Request $request) {
+    global $user;
     require_once DRUPAL_ROOT . '/' . settings()->get('session_inc', 'core/includes/session.inc');
     drupal_session_initialize();
-    if (user_is_logged_in()) {
-      return TRUE;
-    }
+    return $user;
   }
 
   /**
diff --git a/core/lib/Drupal/Core/Authentication/Provider/HttpBasic.php b/core/lib/Drupal/Core/Authentication/Provider/HttpBasic.php
index 0992f52..61284c4 100644
--- a/core/lib/Drupal/Core/Authentication/Provider/HttpBasic.php
+++ b/core/lib/Drupal/Core/Authentication/Provider/HttpBasic.php
@@ -24,11 +24,9 @@ public function authenticate(Request $request) {
     if ($username && $password) {
       $uid = user_authenticate($username, $password);
       if ($uid) {
-        global $user;
-        $user = user_load($uid);
-        return TRUE;
+        return user_load($uid);
       }
-      return FALSE;
+      return NULL;
     }
   }
 
diff --git a/core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php
index de53505..8c624d3 100644
--- a/core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php
@@ -63,7 +63,7 @@ public function onRespond(FilterResponseEvent $event) {
    *   An array of event listener definitions.
    */
   static function getSubscribedEvents() {
-    $events[KernelEvents::REQUEST][] = array('onKernelRequestAuthenticate', 100);
+    $events[KernelEvents::REQUEST][] = array('onKernelRequestAuthenticate', 300);
     $events[KernelEvents::RESPONSE][] = array('onRespond', 0);
     return $events;
   }
diff --git a/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/EventSubscriber/SessionTestSubscriber.php b/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/EventSubscriber/SessionTestSubscriber.php
index c9f1b0a..479b880 100644
--- a/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/EventSubscriber/SessionTestSubscriber.php
+++ b/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/EventSubscriber/SessionTestSubscriber.php
@@ -50,7 +50,7 @@ public function onKernelResponseSessionTest(FilterResponseEvent $event) {
    */
   static function getSubscribedEvents() {
     $events[KernelEvents::RESPONSE][] = array('onKernelResponseSessionTest', 300);
-    $events[KernelEvents::REQUEST][] = array('onKernelRequestSessionTest', 300);
+    $events[KernelEvents::REQUEST][] = array('onKernelRequestSessionTest', 100);
     return $events;
   }