diff --git a/core/core.services.yml b/core/core.services.yml
index 2f3a696..171c01f 100644
--- a/core/core.services.yml
+++ b/core/core.services.yml
@@ -1247,8 +1247,6 @@ services:
     arguments: ['@request_stack', '@database', '@session_manager.metadata_bag', '@session_configuration', '@session_handler']
     tags:
       - { name: backend_overridable }
-    calls:
-      - [setWriteSafeHandler, ['@session_handler.write_safe']]
   session_manager.metadata_bag:
     class: Drupal\Core\Session\MetadataBag
     arguments: ['@settings']
diff --git a/core/lib/Drupal/Core/Session/SessionManager.php b/core/lib/Drupal/Core/Session/SessionManager.php
index 1d470e2..8d8ef08 100644
--- a/core/lib/Drupal/Core/Session/SessionManager.php
+++ b/core/lib/Drupal/Core/Session/SessionManager.php
@@ -63,16 +63,6 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter
   protected $startedLazy;
 
   /**
-   * The write safe session handler.
-   *
-   * @todo: This reference should be removed once all database queries
-   *   are removed from the session manager class.
-   *
-   * @var \Drupal\Core\Session\WriteSafeSessionHandlerInterface
-   */
-  protected $writeSafeHandler;
-
-  /**
    * Constructs a new session manager instance.
    *
    * @param \Symfony\Component\HttpFoundation\RequestStack $request_stack
@@ -243,19 +233,6 @@ public function regenerate($destroy = FALSE, $lifetime = NULL) {
   /**
    * {@inheritdoc}
    */
-  public function delete($uid) {
-    // Nothing to do if we are not allowed to change the session.
-    if (!$this->writeSafeHandler->isSessionWritable() || $this->isCli()) {
-      return;
-    }
-    $this->connection->delete('sessions')
-      ->condition('uid', $uid)
-      ->execute();
-  }
-
-  /**
-   * {@inheritdoc}
-   */
   public function destroy() {
     session_destroy();
 
@@ -270,13 +247,6 @@ public function destroy() {
   }
 
   /**
-   * {@inheritdoc}
-   */
-  public function setWriteSafeHandler(WriteSafeSessionHandlerInterface $handler) {
-    $this->writeSafeHandler = $handler;
-  }
-
-  /**
    * Returns whether the current PHP process runs on CLI.
    *
    * Command line clients do not support cookies nor sessions.
diff --git a/core/lib/Drupal/Core/Session/SessionManagerInterface.php b/core/lib/Drupal/Core/Session/SessionManagerInterface.php
index c755687..bfc9fb7 100644
--- a/core/lib/Drupal/Core/Session/SessionManagerInterface.php
+++ b/core/lib/Drupal/Core/Session/SessionManagerInterface.php
@@ -15,26 +15,8 @@
 interface SessionManagerInterface extends SessionStorageInterface {
 
   /**
-   * Ends a specific user's session(s).
-   *
-   * @param int $uid
-   *   User ID.
-   */
-  public function delete($uid);
-
-  /**
    * Destroys the current session and removes session cookies.
    */
   public function destroy();
 
-  /**
-   * Sets the write safe session handler.
-   *
-   * @todo: This should be removed once all database queries are removed from
-   *   the session manager class.
-   *
-   * @var \Drupal\Core\Session\WriteSafeSessionHandlerInterface
-   */
-  public function setWriteSafeHandler(WriteSafeSessionHandlerInterface $handler);
-
 }
diff --git a/core/modules/user/src/Authentication/Provider/Cookie.php b/core/modules/user/src/Authentication/Provider/Cookie.php
index bac9e15..1fd1b5f 100644
--- a/core/modules/user/src/Authentication/Provider/Cookie.php
+++ b/core/modules/user/src/Authentication/Provider/Cookie.php
@@ -7,11 +7,12 @@
 
 namespace Drupal\user\Authentication\Provider;
 
+use Drupal\Component\Utility\Crypt;
 use Drupal\Core\Authentication\AuthenticationProviderInterface;
 use Drupal\Core\Database\Connection;
 use Drupal\Core\Session\AccountInterface;
-use Drupal\Core\Session\UserSession;
 use Drupal\Core\Session\SessionConfigurationInterface;
+use Drupal\Core\Session\UserSession;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 
@@ -80,19 +81,22 @@ protected function getUserFromSession(SessionInterface $session) {
         ->fetchAssoc();
 
       // Check if the user data was found and the user is active.
-      if (!empty($values) && $values['status'] == 1) {
-        // UserSession::getLastAccessedTime() returns session save timestamp,
-        // while User::getLastAccessedTime() returns the user 'access'
-        // timestamp. This ensures they are synchronized.
-        $values['timestamp'] = $values['access'];
+      if (!empty($values)) {
+        $cred_hash = Crypt::hmacBase64($uid . $values['status'], $values['pass']);
+        if ($cred_hash === $session->get('cred_hash')) {
+          // UserSession::getLastAccessedTime() returns session save timestamp,
+          // while User::getLastAccessedTime() returns the user 'access'
+          // timestamp. This ensures they are synchronized.
+          $values['timestamp'] = $values['access'];
 
-        // Add the user's roles.
-        $rids = $this->connection
-          ->query('SELECT roles_target_id FROM {user__roles} WHERE entity_id = :uid', [':uid' => $values['uid']])
-          ->fetchCol();
-        $values['roles'] = array_merge([AccountInterface::AUTHENTICATED_ROLE], $rids);
+          // Add the user's roles.
+          $rids = $this->connection
+            ->query('SELECT roles_target_id FROM {user__roles} WHERE entity_id = :uid', [':uid' => $values['uid']])
+            ->fetchCol();
+          $values['roles'] = array_merge([AccountInterface::AUTHENTICATED_ROLE], $rids);
 
-        return new UserSession($values);
+          return new UserSession($values);
+        }
       }
     }
 
diff --git a/core/modules/user/src/Entity/User.php b/core/modules/user/src/Entity/User.php
index 1a78c98..09778bc 100644
--- a/core/modules/user/src/Entity/User.php
+++ b/core/modules/user/src/Entity/User.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\user\Entity;
 
+use Drupal\Component\Utility\Crypt;
 use Drupal\Core\Entity\ContentEntityBase;
 use Drupal\Core\Entity\EntityStorageInterface;
 use Drupal\Core\Entity\EntityTypeInterface;
@@ -111,21 +112,15 @@ public function postSave(EntityStorageInterface $storage, $update = TRUE) {
     parent::postSave($storage, $update);
 
     if ($update) {
-      $session_manager = \Drupal::service('session_manager');
       // If the password has been changed, delete all open sessions for the
       // user and recreate the current one.
       if ($this->pass->value != $this->original->pass->value) {
-        $session_manager->delete($this->id());
         if ($this->id() == \Drupal::currentUser()->id()) {
           \Drupal::service('session')->migrate();
+          \Drupal::service('session')->set('cred_hash', Crypt::hmacBase64($this->id() . $this->isActive(), $this->getPassword()));
         }
       }
 
-      // If the user was blocked, delete the user's sessions to force a logout.
-      if ($this->original->status->value != $this->status->value && $this->status->value == 0) {
-        $session_manager->delete($this->id());
-      }
-
       // Send emails after we have the new user object.
       if ($this->status->value != $this->original->status->value) {
         // The user's status is changing; conditionally send notification email.
diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index 33ed45f..e1d0a55 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -529,6 +529,7 @@ function user_login_finalize(UserInterface $account) {
   // in place.
   \Drupal::service('session')->migrate();
   \Drupal::service('session')->set('uid', $account->id());
+  \Drupal::service('session')->set('cred_hash', Crypt::hmacBase64($account->id() . $account->isActive(), $account->getPassword()));
   \Drupal::moduleHandler()->invokeAll('user_login', array($account));
 }