diff --git a/core/lib/Drupal/Core/EventSubscriber/LegacyAccessSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/LegacyAccessSubscriber.php
index 566e82c..a1c75bc 100644
--- a/core/lib/Drupal/Core/EventSubscriber/LegacyAccessSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/LegacyAccessSubscriber.php
@@ -23,12 +23,24 @@ class LegacyAccessSubscriber implements EventSubscriberInterface {
    * @todo This is a total hack to keep our current access system working. It
    *   should be replaced with something robust and injected at some point.
    *
-   * @param Symfony\Component\HttpKernel\Event\GetResponseEvent $event
+   * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
    *   The Event to process.
+   *
+   * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
    */
   public function onKernelRequestAccessCheck(GetResponseEvent $event) {
 
-    $router_item = $event->getRequest()->attributes->get('drupal_menu_item');
+    $request_attributes = $event->getRequest()->attributes;
+
+    $router_item = $request_attributes->get('drupal_menu_item');
+
+    // For legacy routes we do not allow any user not authenticated by cookie
+    // provider.
+    if (isset($router_item['access']) && $request_attributes->get('_authentication_provider') != 'cookie') {
+      $GLOBALS['user'] = drupal_anonymous_user();
+      $request_attributes->set('session', $GLOBALS['user']);
+      throw new AccessDeniedHttpException();
+    }
 
     if (isset($router_item['access']) && !$router_item['access']) {
       throw new AccessDeniedHttpException();
diff --git a/core/lib/Drupal/Core/Routing/Enhancer/AuthenticationEnhancer.php b/core/lib/Drupal/Core/Routing/Enhancer/AuthenticationEnhancer.php
index 496ee22..548955f 100644
--- a/core/lib/Drupal/Core/Routing/Enhancer/AuthenticationEnhancer.php
+++ b/core/lib/Drupal/Core/Routing/Enhancer/AuthenticationEnhancer.php
@@ -41,12 +41,10 @@ public function enhance(array $defaults, Request $request) {
       $route = isset($defaults['_route_object']) ? $defaults['_route_object'] : NULL;
 
       $auth_providers = ($route && $route->getOption('_auth')) ? $route->getOption('_auth') : array($this->manger->defaultProviderId());
-      if (!empty($auth_providers)) {
-        // If the request was authenticated with a non-permitted provider,
-        // force the user back to anonymous.
-        if (!in_array($auth_provider_triggered, $auth_providers)) {
-          $request->attributes->set('session', drupal_anonymous_user());
-        }
+      // If the request was authenticated with a non-permitted provider,
+      // force the user back to anonymous.
+      if (!in_array($auth_provider_triggered, $auth_providers)) {
+        $request->attributes->set('session', drupal_anonymous_user());
       }
     }
     return $defaults;
diff --git a/core/modules/system/lib/Drupal/system/Tests/Authentication/HttpBasicTest.php b/core/modules/system/lib/Drupal/system/Tests/Authentication/HttpBasicTest.php
index 2c486ee..2d1c907 100644
--- a/core/modules/system/lib/Drupal/system/Tests/Authentication/HttpBasicTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Authentication/HttpBasicTest.php
@@ -53,7 +53,10 @@ public function testHttpBasic() {
     $this->drupalGet('admin');
     $this->assertResponse('403', 'No authentication prompt for routes not explicitly defining authentication providers.');
 
+    $account = $this->drupalCreateUser(array('access administration pages'));
+
     $this->basicAuthGet('admin', $account->name, $account->pass_raw);
+    $this->assertNoLink('Log out', 0, 'User is not logged in');
     $this->assertResponse('403', 'No basic authentication for routes not explicitly defining authentication providers.');
     $this->curlClose();
   }