diff --git a/core/lib/Drupal/Core/Authentication/AuthenticationManager.php b/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
index 40e1d98..362150c 100644
--- a/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
+++ b/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
@@ -24,7 +24,7 @@ class AuthenticationManager implements AuthenticationProviderInterface {
    *
    * @var string
    */
-  protected $triggered_provider = '';
+  protected $triggeredProvider = '';
 
   /**
    * Fallback provider.
@@ -33,7 +33,17 @@ class AuthenticationManager implements AuthenticationProviderInterface {
    *
    * @var string
    */
-  protected $fallbackProvider = 'authentication.cookie';
+  protected $fallbackProvider;
+
+  /**
+   * Constructor.
+   *
+   * @param string $fallback_provider
+   *   The default provider to use if no other provider feels responsible.
+   */
+  public function __construct($fallback_provider = 'authentication.cookie') {
+    $this->fallbackProvider = $fallback_provider;
+  }
 
   /**
    * Add provider to the array of registered providers.
@@ -48,13 +58,14 @@ public function addProvider($provider_id, AuthenticationProviderInterface $provi
   }
 
   /**
-   * Authenticate user by running autheticate() method on each of providers.
+   * Authenticate user by running authenticate() method on each of providers.
    *
    * @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
    *   Throws exception in case two authentication providers had credentials.
    */
   public function authenticate(Request $request) {
     global $user;
+    $account = FALSE;
 
     // Prevent the fallback provider to not be executed before any other
     // provider.
@@ -67,23 +78,33 @@ public function authenticate(Request $request) {
       if ($account !== NULL) {
         // We do not allow request to have information to authenticate
         // with two methods at the same time.
-        if (!empty($this->triggered_provider)) {
+        if (!empty($this->triggeredProvider)) {
           throw new BadRequestHttpException(t('Multiple authentication methods are not allowed.'));
         }
-        $this->triggered_provider = $provider_id;
-        $user = $account;
+        $this->triggeredProvider = $provider_id;
       }
     }
 
     // If now other authentication provider feels responsible, use the fallback.
-    if (empty($this->triggered_provider)) {
-      $user = $this->triggered_provider = $this->fallbackProvider;
-      $this->providers[$this->fallbackProvider]->authenticate($request);
+    if (empty($this->triggeredProvider)) {
+      $this->triggeredProvider = $this->fallbackProvider;
+      $account = $this->providers[$this->fallbackProvider]->authenticate($request);
     }
+    elseif ($this->providers[$this->fallbackProvider]->authenticate($request)) {
+      throw new BadRequestHttpException(t('Multiple authentication methods are not allowed.'));
+    }
+
+    // No provider returned a valid account - assume anonymous.
+    if (!$account) {
+      $account = drupal_anonymous_user();
+    }
+
+    // Set the global user to the account returned by the triggered provider.
+    $user = $account;
 
     // Save id of provider to request so it is checked in
     // AuthenticationProviderAccessCheck.
-    $request->attributes->set('_authentication_provider', substr($this->triggered_provider, strlen('authentication.')));
+    $request->attributes->set('_authentication_provider', substr($this->triggeredProvider, strlen('authentication.')));
   }
 
   /**
@@ -93,10 +114,10 @@ public function authenticate(Request $request) {
    *   The request object.
    */
   public function cleanup(Request $request) {
-    if (empty($this->triggered_provider)) {
+    if (empty($this->triggeredProvider)) {
       return;
     }
-    $provider = $this->providers[$this->triggered_provider];
+    $provider = $this->providers[$this->triggeredProvider];
     $provider->cleanup($request);
   }
 }
diff --git a/core/lib/Drupal/Core/Authentication/Provider/Cookie.php b/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
index bf9eb09..6a233a6 100644
--- a/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
+++ b/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
@@ -22,7 +22,10 @@ public function authenticate(Request $request) {
     global $user;
     require_once DRUPAL_ROOT . '/' . settings()->get('session_inc', 'core/includes/session.inc');
     drupal_session_initialize();
-    return $user;
+    if (drupal_session_started()) {
+      return $user;
+    }
+    return NULL;
   }
 
   /**
diff --git a/core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php
index 8c624d3..073a6dd 100644
--- a/core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php
@@ -24,7 +24,7 @@ class AuthenticationSubscriber implements EventSubscriberInterface {
    *
    * @var AuthenticationProviderInterface
    */
-  private $authentication_manager;
+  protected $authenticationManager;
 
   /**
    * Keep authentication manager as private variable.
@@ -32,27 +32,27 @@ class AuthenticationSubscriber implements EventSubscriberInterface {
    * @param AuthenticationProviderInterface $authentication_manager
    */
   public function __construct(AuthenticationProviderInterface $authentication_manager) {
-    $this->authentication_manager = $authentication_manager;
+    $this->authenticationManager = $authentication_manager;
   }
 
   /**
-   * Authenticate user
-   *
-   * @param Symfony\Component\HttpKernel\Event\GetResponseEvent $event
-   *   The Event to process.
+   * Authenticate user.
    */
   public function onKernelRequestAuthenticate(GetResponseEvent $event) {
     if ($event->getRequestType() == HttpKernelInterface::MASTER_REQUEST) {
       $request = $event->getRequest();
-      $this->authentication_manager->authenticate($request);
+      $this->authenticationManager->authenticate($request);
     }
   }
 
+  /**
+   * Trigger clean up.
+   */
   public function onRespond(FilterResponseEvent $event) {
     if ($event->getRequestType() == HttpKernelInterface::MASTER_REQUEST) {
       $request = $event->getRequest();
 
-      $this->authentication_manager->cleanup($request);
+      $this->authenticationManager->cleanup($request);
     }
   }
 
@@ -62,7 +62,9 @@ public function onRespond(FilterResponseEvent $event) {
    * @return array
    *   An array of event listener definitions.
    */
-  static function getSubscribedEvents() {
+  public static function getSubscribedEvents() {
+    // Priority must be higher than LanguageRequestSubscriber as LanguageManager
+    // access global $user in case language module enabled.
     $events[KernelEvents::REQUEST][] = array('onKernelRequestAuthenticate', 300);
     $events[KernelEvents::RESPONSE][] = array('onRespond', 0);
     return $events;