diff --git a/core/lib/Drupal/Core/Authentication/Provider/Cookie.php b/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
index 9bc26c7..eb54001 100644
--- a/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
+++ b/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
@@ -61,12 +61,6 @@ public function applies(Request $request) {
   public function authenticate(Request $request) {
     $session = $request->getSession();
     if ($session->start()) {
-      // Handle the case of first time visitors and clients that don't store
-      // cookies (eg. web crawlers).
-      if (!$this->sessionConfiguration->hasSession($request)) {
-        return new AnonymousUserSession();
-      }
-
       $values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid", array(
         ':sid' => Crypt::hashBase64($session->getId()),
       ))->fetchAssoc();
diff --git a/core/lib/Drupal/Core/Session/SessionHandler.php b/core/lib/Drupal/Core/Session/SessionHandler.php
index 05b5887..60a2c15 100644
--- a/core/lib/Drupal/Core/Session/SessionHandler.php
+++ b/core/lib/Drupal/Core/Session/SessionHandler.php
@@ -67,6 +67,10 @@ public function open($save_path, $name) {
    * {@inheritdoc}
    */
   public function read($sid) {
+    if (empty($sid)) {
+      return '';
+    }
+
     // Read the session data from the database.
     $record = $this->connection->select('sessions', 's')
       ->fields('s')
@@ -129,18 +133,6 @@ public function destroy($sid) {
       ->condition('sid', Crypt::hashBase64($sid))
       ->execute();
 
-    // Reset $_SESSION and current user to prevent a new session from being
-    // started in \Drupal\Core\Session\SessionManager::save().
-    $_SESSION = array();
-
-    // @todo: Manipulating the current user is not the business of the session
-    // handler. This should be moved to the authentication mananger.
-    $this->currentUser->setAccount(new AnonymousUserSession());
-
-    // @todo: cookie management should be moved to Cookie auth manager.
-    // Unset the session cookies.
-    $this->deleteCookie($this->getName());
-
     return TRUE;
   }
 
@@ -159,21 +151,4 @@ public function gc($lifetime) {
     return TRUE;
   }
 
-  /**
-   * Deletes a session cookie.
-   *
-   * @param string $name
-   *   Name of session cookie to delete.
-   *
-   * @todo: cookie management should be moved to Cookie auth manager.
-   */
-  protected function deleteCookie($name) {
-    $cookies = $this->requestStack->getCurrentRequest()->cookies;
-    if ($cookies->has($name)) {
-      $params = session_get_cookie_params();
-      setcookie($name, '', REQUEST_TIME - 3600, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
-      $cookies->remove($name);
-    }
-  }
-
 }
diff --git a/core/lib/Drupal/Core/Session/SessionManager.php b/core/lib/Drupal/Core/Session/SessionManager.php
index 2c6f09a..ec3ecdf 100644
--- a/core/lib/Drupal/Core/Session/SessionManager.php
+++ b/core/lib/Drupal/Core/Session/SessionManager.php
@@ -183,11 +183,11 @@ public function save() {
       return;
     }
 
-    if (!$user || ($user->isAnonymous() && $this->isSessionObsolete())) {
+    if ($user->isAnonymous() && $this->isSessionObsolete()) {
       // There is no session data to store, destroy the session if it was
       // previously started.
       if ($this->getSaveHandler()->isActive()) {
-        session_destroy();
+        $this->destroy();
       }
     }
     else {
@@ -254,6 +254,22 @@ public function delete($uid) {
   /**
    * {@inheritdoc}
    */
+  public function destroy() {
+    session_destroy();
+
+    // Unset the session cookies.
+    $session_name = $this->getName();
+    $cookies = $this->requestStack->getCurrentRequest()->cookies;
+    if ($cookies->has($session_name)) {
+      $params = session_get_cookie_params();
+      setcookie($session_name, '', REQUEST_TIME - 3600, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
+      $cookies->remove($session_name);
+    }
+  }
+
+  /**
+   * {@inheritdoc}
+   */
   public function setWriteSafeHandler(WriteSafeSessionHandlerInterface $handler) {
     $this->writeSafeHandler = $handler;
   }
diff --git a/core/lib/Drupal/Core/Session/SessionManagerInterface.php b/core/lib/Drupal/Core/Session/SessionManagerInterface.php
index d194002..c755687 100644
--- a/core/lib/Drupal/Core/Session/SessionManagerInterface.php
+++ b/core/lib/Drupal/Core/Session/SessionManagerInterface.php
@@ -23,6 +23,11 @@
   public function delete($uid);
 
   /**
+   * Destroys the current session and removes session cookies.
+   */
+  public function destroy();
+
+  /**
    * Sets the write safe session handler.
    *
    * @todo: This should be removed once all database queries are removed from
diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index d95061f..cf5a7b5 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -1440,7 +1440,8 @@ function user_logout() {
   // Session::invalidate(). Regrettably this method is currently broken and may
   // lead to the creation of spurious session records in the database.
   // @see https://github.com/symfony/symfony/issues/12375
-  session_destroy();
+  \Drupal::service('session_manager')->destroy();
+  $user->setAccount(new AnonymousUserSession());
 }
 
 /**