diff --git a/core/modules/system/src/Tests/Session/MultipleAuthenticationSessionTest.php b/core/modules/system/src/Tests/Session/MultipleAuthenticationSessionTest.php
new file mode 100644
index 0000000..712bb4c
--- /dev/null
+++ b/core/modules/system/src/Tests/Session/MultipleAuthenticationSessionTest.php
@@ -0,0 +1,98 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\system\Tests\Session\MultipleAuthenticationSessionTest.
+ */
+
+namespace Drupal\system\Tests\Session;
+
+use Drupal\user\Entity\Role;
+use Drupal\user\RoleInterface;
+use Drupal\simpletest\WebTestBase;
+use Drupal\Core\Url;
+use Drupal\Component\Utility\SafeMarkup;
+
+/**
+ * Tests whether multiple authentication providers can both set the session.
+ *
+ * @group Session
+ */
+class MultipleAuthenticationSessionTest extends WebTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = array('basic_auth', 'router_test');
+
+  /**
+   * {@inheritdoc}
+   */
+  protected $dumpHeaders = TRUE;
+
+  /**
+   * Check that authentication provider does not leak on sessions.
+   * Here using Basic Auth as authentication provider.
+   */
+  public function testSessionFromBasicAuthDoesNotLeak() {
+    $user = $this->drupalCreateUser();
+
+    // This page is authorized though basic_auth only, not cookie.
+    $url = Url::fromRoute('router_test.11');
+
+    // Anonymous users cannot access unauthorized page.
+    $this->drupalGet($url);
+    $this->assertResponse(401, "Anonymous users cannot access unauthorized page.");
+
+    // Admin users can access unauthorized page.
+    $this->basicAuthGet($url, $user->getUsername(), $user->pass_raw);
+    $this->assertResponse(200, "Admin users can access unauthorized page using Basic Auth.");
+
+    // Anonymous users cannot access unauthorized page.
+    $this->drupalGet($url);
+    $this->assertResponse(401, "Anonymous users cannot access unauthorized page.");
+  }
+
+  /**
+   * Does HTTP basic auth request.
+   *
+   * We do not use \Drupal\simpletest\WebTestBase::drupalGet because we need to
+   * set curl settings for basic authentication.
+   *
+   * @param \Drupal\Core\Url|string $path
+   *   Drupal path or URL to load into internal browser
+   * @param string $username
+   *   The user name to authenticate with.
+   * @param string $password
+   *   The password.
+   *
+   * @return string
+   *   Curl output.
+   */
+  protected function basicAuthGet($path, $username, $password) {
+    if ($path instanceof Url) {
+      $path = $path->setAbsolute()->toString();
+    }
+
+    $out = $this->curlExec(
+      array(
+        CURLOPT_HTTPGET => TRUE,
+        CURLOPT_URL => $path,
+        CURLOPT_NOBODY => FALSE,
+        CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
+        CURLOPT_VERBOSE        => 1,
+        CURLOPT_USERPWD => $username . ':' . $password,
+      )
+    );
+
+    $verbose = 'GET request to: ' . $path .
+               '<hr />Ending URL: ' . $this->getUrl();
+    if ($this->dumpHeaders) {
+      $verbose .= '<hr />Headers: <pre>' . SafeMarkup::checkPlain(var_export(array_map('trim', $this->headers), TRUE)) . '</pre>';
+    }
+    $verbose .= '<hr />' . $out;
+    $this->verbose($verbose);
+
+    return $out;
+  }
+}