diff --git a/core/lib/Drupal/Core/Authentication/AuthenticationManager.php b/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
index 3279824..d32e75a 100644
--- a/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
+++ b/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
@@ -8,6 +8,8 @@
 namespace Drupal\Core\Authentication;
 
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
 
 /**
  * Manager for authentication.
@@ -114,24 +116,23 @@ public function authenticate(Request $request) {
       // Trigger authentication.
       $account = $provider->authenticate($request);
 
+
       // Provider felt responsible for this request.
       if ($account !== NULL) {
-        $this->account = $account;
         $this->triggeredProvider = $provider_id;
+        // User failed authentication.
+        if ($account === FALSE) {
+          $user = $this->account = drupal_anonymous_user();
+          throw new AccessDeniedHttpException();
+        }
+        $this->account = $account;
         break;
       }
     }
 
-    // No provider returned a valid account - assume anonymous.
+    // No provider returned a valid account.
     if (!$this->account) {
-      $this->account = drupal_anonymous_user();
-    }
-
-    // No provider felt responsible – assume the one with the least priority
-    // should have.
-    if (!$this->triggeredProvider) {
-      end($this->providers);
-      $this->triggeredProvider = key($this->providers);
+      throw new UnauthorizedHttpException('Basic realm="Drupal 8"', 'No authentication credentials provided.');
     }
 
     // Set the global user to the account returned by the triggered provider.
diff --git a/core/lib/Drupal/Core/Authentication/Provider/Cookie.php b/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
index 6a233a6..665938d 100644
--- a/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
+++ b/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
@@ -25,7 +25,7 @@ public function authenticate(Request $request) {
     if (drupal_session_started()) {
       return $user;
     }
-    return NULL;
+    return drupal_anonymous_user();
   }
 
   /**
diff --git a/core/lib/Drupal/Core/Controller/ExceptionController.php b/core/lib/Drupal/Core/Controller/ExceptionController.php
index c9a661b..cc076ad 100644
--- a/core/lib/Drupal/Core/Controller/ExceptionController.php
+++ b/core/lib/Drupal/Core/Controller/ExceptionController.php
@@ -57,7 +57,7 @@ public function execute(FlattenException $exception, Request $request) {
       return $this->$method($exception, $request);
     }
 
-    return new Response('A fatal error occurred: ' . $exception->getMessage(), $exception->getStatusCode());
+    return new Response('A fatal error occurred: ' . $exception->getMessage(), $exception->getStatusCode(), $exception->getHeaders());
   }
 
   /**