diff --git a/core/lib/Drupal/Core/Authentication/Provider/Cookie.php b/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
index ccd9228..eaf457a 100644
--- a/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
+++ b/core/lib/Drupal/Core/Authentication/Provider/Cookie.php
@@ -84,6 +84,11 @@ protected function getUserFromSession(SessionInterface $session) {
       ->fetchAssoc();
 
     if ($values && $values['uid'] > 0 && $values['status'] == 1) {
+      // UserSession::getLastAccessedTime() returns session save timestamp,
+      // while User::getLastAccessedTime() returns the user 'access' timestamp.
+      // This ensures they are synchronized.
+      $values['timestamp'] = $values['access'];
+
       // We found the client's session record and they are an authenticated,
       // active user.
       $rids = $this->connection->select('user__roles', 'ur')
@@ -93,14 +98,12 @@ protected function getUserFromSession(SessionInterface $session) {
         ->fetchCol();
       // Add user's roles.
       $values['roles'] = array_merge([AccountInterface::AUTHENTICATED_ROLE], $rids);
-      $values['session'] = serialize($_SESSION);
       return new UserSession($values);
     }
     elseif ($values) {
-      // The user is anonymous or blocked. Only preserve two fields from the
-      // {sessions} table.
+      // The user is anonymous or blocked. Only preserve access field from the
+      // {users} table.
       return new UserSession([
-        'session' => serialize($_SESSION),
         'access' => $values['access'],
       ]);
     }