diff --git a/core/modules/system/src/Tests/Session/MultipleAuthenticationSessionTest.php b/core/modules/system/src/Tests/Session/MultipleAuthenticationSessionTest.php
new file mode 100644
index 0000000..e51eeb0
--- /dev/null
+++ b/core/modules/system/src/Tests/Session/MultipleAuthenticationSessionTest.php
@@ -0,0 +1,101 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\system\Tests\Session\MultipleAuthenticationSessionTest.
+ */
+
+namespace Drupal\system\Tests\Session;
+
+use Drupal\Core\Url;
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests interactions between multiple authentication sessions.
+ *
+ * @group Session
+ */
+class MultipleAuthenticationSessionTest extends WebTestBase {
+
+  /**
+   * A test user.
+   *
+   * @var \Drupal\user\Entity\User
+   */
+  protected $user;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['basic_auth', 'session_test'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+
+    // Create a test administrator user.
+    $this->user = $this->drupalCreateUser(array('administer site configuration'));
+  }
+
+  /**
+   * Check that a basic authentication session does not leak.
+   *
+   * Regression test for a bug that caused a session initiated by basic
+   * authentication to persist over subsequent unauthorized requests.
+   *
+   * @see https://www.drupal.org/node/2468873
+   */
+  public function testSessionFromBasicAuthenticationDoesNotLeak() {
+    // This route is authorized through basic_auth only, not cookie.
+    $protected_url = Url::fromRoute('session_test.get_session');
+
+    // This route is not protected.
+    $unprotected_url = Url::fromRoute('session_test.get_session_no_auth');
+
+    // Test that the route is not accessible as an anonymous user.
+    $this->drupalGet($protected_url);
+    $this->assertResponse(401, 'An anonymous user cannot access a route protected with basic authentication.');
+
+    // We should be able to access the route with basic authentication.
+    $this->basicAuthGet($protected_url);
+    $this->assertResponse(200, 'A route protected with basic authentication can be accessed by an authenticated user.');
+
+    // Check that the correct user is logged in.
+    $this->assertEqual($this->user->id(), json_decode($this->getRawContent())->user, 'The correct user is authenticated on a route with basic authentication.');
+
+    // If we now try to access a page without basic authentication then we
+    // should no longer be logged in.
+    $this->drupalGet($unprotected_url);
+    $this->assertResponse(200, 'An unprotected route can be accessed without basic authentication.');
+    $this->assertFalse(json_decode($this->getRawContent())->user, 'The user is no longer authenticated after visiting a page without basic authentication.');
+
+    // If we access the protected page again without basic authentication we
+    // should get 401 Unauthorized.
+    $this->drupalGet($protected_url);
+    $this->assertResponse(401, 'A subsequent request to the same route without basic authentication is not authorized.');
+  }
+
+  /**
+   * Retrieves a Drupal path or an absolute path using basic authentication.
+   *
+   * @param \Drupal\Core\Url|string $path
+   *   Drupal path or URL to load into the internal browser.
+   * @param array $options
+   *   Options to be forwarded to the url generator.
+   *
+   * @return string
+   *   The retrieved HTML string, also available as $this->getRawContent().
+   */
+  protected function basicAuthGet($path, array $options = array()) {
+    // Set up Curl to use basic authentication with the test user's credentials.
+    $headers = [
+      'Accept: */*',
+      'Authorization: Basic ' . base64_encode($this->user->getUsername() . ':' . $this->user->pass_raw),
+    ];
+
+    return $this->drupalGet($path, $options, $headers);
+  }
+
+}
diff --git a/core/modules/system/tests/modules/session_test/session_test.routing.yml b/core/modules/system/tests/modules/session_test/session_test.routing.yml
index fce0fc9..ea59385 100644
--- a/core/modules/system/tests/modules/session_test/session_test.routing.yml
+++ b/core/modules/system/tests/modules/session_test/session_test.routing.yml
@@ -89,3 +89,21 @@ session_test.trace_handler:
     _controller: '\Drupal\session_test\Controller\SessionTestController::traceHandler'
   requirements:
     _access: 'TRUE'
+
+session_test.get_session:
+  path: '/session-test/get-session'
+  defaults:
+    _title: 'Get session information using basic authentication'
+    _controller: '\Drupal\session_test\Controller\SessionTestController::getSession'
+  options:
+    _auth: ['basic_auth']
+  requirements:
+    _permission: 'administer site configuration'
+
+session_test.get_session_no_auth:
+  path: '/session-test/get-session-no-auth'
+  defaults:
+    _title: 'Get session information'
+    _controller: '\Drupal\session_test\Controller\SessionTestController::getSession'
+  requirements:
+    _access: 'TRUE'
diff --git a/core/modules/system/tests/modules/session_test/src/Controller/SessionTestController.php b/core/modules/system/tests/modules/session_test/src/Controller/SessionTestController.php
index 4437743..c87ef63 100644
--- a/core/modules/system/tests/modules/session_test/src/Controller/SessionTestController.php
+++ b/core/modules/system/tests/modules/session_test/src/Controller/SessionTestController.php
@@ -162,4 +162,15 @@ public function traceHandler() {
     return new JsonResponse($trace);
   }
 
+  /**
+   * @param \Symfony\Component\HttpFoundation\Request $request
+   *   The request object.
+   *
+   * @return \Symfony\Component\HttpFoundation\JsonResponse
+   *   A response object containing the session values and the user ID.
+   */
+  public function getSession(Request $request) {
+    return new JsonResponse(['session' => $request->getSession()->all(), 'user' => $this->currentUser()->id()]);
+  }
+
 }