.../Block/BlockHalJsonCookieTest.php               | 40 +++++++++
 .../Comment/CommentHalJsonCookieTest.php           | 19 +++++
 .../ConfigTest/ConfigTestHalJsonCookieTest.php     | 40 +++++++++
 .../EntityTest/EntityTestHalJsonCookieTest.php     | 19 +++++
 .../EntityResource/Node/NodeHalJsonCookieTest.php  | 19 +++++
 .../EntityResource/Role/RoleHalJsonCookieTest.php  | 40 +++++++++
 .../EntityResource/Term/TermHalJsonCookieTest.php  | 18 ++++
 .../EntityResource/User/UserHalJsonCookieTest.php  | 19 +++++
 .../Vocabulary/VocabularyHalJsonCookieTest.php     | 40 +++++++++
 .../tests/src/Functional/AnonResourceTestTrait.php |  6 ++
 .../src/Functional/BasicAuthResourceTestTrait.php  |  8 +-
 .../src/Functional/CookieResourceTestTrait.php     | 98 ++++++++++++++++++++++
 .../EntityResource/Block/BlockJsonCookieTest.php   | 34 ++++++++
 .../Comment/CommentJsonCookieTest.php              | 34 ++++++++
 .../Comment/CommentResourceTestBase.php            |  3 +-
 .../ConfigTest/ConfigTestJsonCookieTest.php        | 34 ++++++++
 .../EntityResource/EntityResourceTestBase.php      | 32 ++-----
 .../EntityTest/EntityTestJsonCookieTest.php        | 34 ++++++++
 .../EntityResource/Node/NodeJsonCookieTest.php     | 34 ++++++++
 .../EntityResource/Role/RoleJsonCookieTest.php     | 36 ++++++++
 .../EntityResource/Term/TermJsonCookieTest.php     | 34 ++++++++
 .../EntityResource/User/UserJsonCookieTest.php     | 34 ++++++++
 .../Vocabulary/VocabularyJsonCookieTest.php        | 34 ++++++++
 .../rest/tests/src/Functional/ResourceTestBase.php | 28 ++++++-
 24 files changed, 711 insertions(+), 26 deletions(-)

diff --git a/core/modules/hal/tests/src/Functional/EntityResource/Block/BlockHalJsonCookieTest.php b/core/modules/hal/tests/src/Functional/EntityResource/Block/BlockHalJsonCookieTest.php
new file mode 100644
index 0000000..1403ebe
--- /dev/null
+++ b/core/modules/hal/tests/src/Functional/EntityResource/Block/BlockHalJsonCookieTest.php
@@ -0,0 +1,40 @@
+<?php
+
+namespace Drupal\Tests\hal\Functional\EntityResource\Block;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+use Drupal\Tests\rest\Functional\EntityResource\Block\BlockResourceTestBase;
+
+/**
+ * @group hal
+ */
+class BlockHalJsonCookieTest extends BlockResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['hal'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'hal_json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/hal+json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/hal/tests/src/Functional/EntityResource/Comment/CommentHalJsonCookieTest.php b/core/modules/hal/tests/src/Functional/EntityResource/Comment/CommentHalJsonCookieTest.php
new file mode 100644
index 0000000..760b79a
--- /dev/null
+++ b/core/modules/hal/tests/src/Functional/EntityResource/Comment/CommentHalJsonCookieTest.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Drupal\Tests\hal\Functional\EntityResource\Comment;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group hal
+ */
+class CommentHalJsonCookieTest extends CommentHalJsonAnonTest {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/hal/tests/src/Functional/EntityResource/ConfigTest/ConfigTestHalJsonCookieTest.php b/core/modules/hal/tests/src/Functional/EntityResource/ConfigTest/ConfigTestHalJsonCookieTest.php
new file mode 100644
index 0000000..846aa9f
--- /dev/null
+++ b/core/modules/hal/tests/src/Functional/EntityResource/ConfigTest/ConfigTestHalJsonCookieTest.php
@@ -0,0 +1,40 @@
+<?php
+
+namespace Drupal\Tests\hal\Functional\EntityResource\ConfigTest;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+use Drupal\Tests\rest\Functional\EntityResource\ConfigTest\ConfigTestResourceTestBase;
+
+/**
+ * @group hal
+ */
+class ConfigTestHalJsonCookieTest extends ConfigTestResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['hal'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'hal_json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/hal+json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/hal/tests/src/Functional/EntityResource/EntityTest/EntityTestHalJsonCookieTest.php b/core/modules/hal/tests/src/Functional/EntityResource/EntityTest/EntityTestHalJsonCookieTest.php
new file mode 100644
index 0000000..efca317
--- /dev/null
+++ b/core/modules/hal/tests/src/Functional/EntityResource/EntityTest/EntityTestHalJsonCookieTest.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Drupal\Tests\hal\Functional\EntityResource\EntityTest;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group hal
+ */
+class EntityTestHalJsonCookieTest extends EntityTestHalJsonAnonTest {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/hal/tests/src/Functional/EntityResource/Node/NodeHalJsonCookieTest.php b/core/modules/hal/tests/src/Functional/EntityResource/Node/NodeHalJsonCookieTest.php
new file mode 100644
index 0000000..19ed363
--- /dev/null
+++ b/core/modules/hal/tests/src/Functional/EntityResource/Node/NodeHalJsonCookieTest.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Drupal\Tests\hal\Functional\EntityResource\Node;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group hal
+ */
+class NodeHalJsonCookieTest extends NodeHalJsonAnonTest {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/hal/tests/src/Functional/EntityResource/Role/RoleHalJsonCookieTest.php b/core/modules/hal/tests/src/Functional/EntityResource/Role/RoleHalJsonCookieTest.php
new file mode 100644
index 0000000..b52713c
--- /dev/null
+++ b/core/modules/hal/tests/src/Functional/EntityResource/Role/RoleHalJsonCookieTest.php
@@ -0,0 +1,40 @@
+<?php
+
+namespace Drupal\Tests\hal\Functional\EntityResource\Role;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+use Drupal\Tests\rest\Functional\EntityResource\Role\RoleResourceTestBase;
+
+/**
+ * @group hal
+ */
+class RoleHalJsonCookieTest extends RoleResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['hal'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'hal_json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/hal+json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/hal/tests/src/Functional/EntityResource/Term/TermHalJsonCookieTest.php b/core/modules/hal/tests/src/Functional/EntityResource/Term/TermHalJsonCookieTest.php
new file mode 100644
index 0000000..23ccd20
--- /dev/null
+++ b/core/modules/hal/tests/src/Functional/EntityResource/Term/TermHalJsonCookieTest.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace Drupal\Tests\hal\Functional\EntityResource\Term;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group hal
+ */
+class TermHalJsonCookieTest extends TermHalJsonAnonTest {
+
+  use CookieResourceTestTrait;
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/hal/tests/src/Functional/EntityResource/User/UserHalJsonCookieTest.php b/core/modules/hal/tests/src/Functional/EntityResource/User/UserHalJsonCookieTest.php
new file mode 100644
index 0000000..b4a121b
--- /dev/null
+++ b/core/modules/hal/tests/src/Functional/EntityResource/User/UserHalJsonCookieTest.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Drupal\Tests\hal\Functional\EntityResource\User;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group hal
+ */
+class UserHalJsonCookieTest extends UserHalJsonAnonTest {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/hal/tests/src/Functional/EntityResource/Vocabulary/VocabularyHalJsonCookieTest.php b/core/modules/hal/tests/src/Functional/EntityResource/Vocabulary/VocabularyHalJsonCookieTest.php
new file mode 100644
index 0000000..b751cdd
--- /dev/null
+++ b/core/modules/hal/tests/src/Functional/EntityResource/Vocabulary/VocabularyHalJsonCookieTest.php
@@ -0,0 +1,40 @@
+<?php
+
+namespace Drupal\Tests\hal\Functional\EntityResource\Vocabulary;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+use Drupal\Tests\rest\Functional\EntityResource\Vocabulary\VocabularyResourceTestBase;
+
+/**
+ * @group hal
+ */
+class VocabularyHalJsonCookieTest extends VocabularyResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['hal'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'hal_json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/hal+json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/rest/tests/src/Functional/AnonResourceTestTrait.php b/core/modules/rest/tests/src/Functional/AnonResourceTestTrait.php
index cc089de..ab8b9a3 100644
--- a/core/modules/rest/tests/src/Functional/AnonResourceTestTrait.php
+++ b/core/modules/rest/tests/src/Functional/AnonResourceTestTrait.php
@@ -2,6 +2,7 @@
 
 namespace Drupal\Tests\rest\Functional;
 
+use Drupal\Core\Url;
 use Psr\Http\Message\ResponseInterface;
 
 trait AnonResourceTestTrait {
@@ -13,4 +14,9 @@ protected function verifyResponseWhenMissingAuthentication(ResponseInterface $re
     throw new \LogicException('When testing for anonymous users, authentication cannot be missing.');
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  protected function assertAuthenticationEdgeCases($method, Url $url, array $request_options) {}
+
 }
diff --git a/core/modules/rest/tests/src/Functional/BasicAuthResourceTestTrait.php b/core/modules/rest/tests/src/Functional/BasicAuthResourceTestTrait.php
index da62ff8..7134585 100644
--- a/core/modules/rest/tests/src/Functional/BasicAuthResourceTestTrait.php
+++ b/core/modules/rest/tests/src/Functional/BasicAuthResourceTestTrait.php
@@ -2,6 +2,7 @@
 
 namespace Drupal\Tests\rest\Functional;
 
+use Drupal\Core\Url;
 use Psr\Http\Message\ResponseInterface;
 
 /**
@@ -12,7 +13,7 @@
   /**
    * {@inheritdoc}
    */
-  protected function getAuthenticationRequestOptions() {
+  protected function getAuthenticationRequestOptions($method) {
     return [
       'headers' => [
         'Authorization' => 'Basic ' . base64_encode($this->account->name->value . ':' . $this->account->passRaw),
@@ -27,4 +28,9 @@ protected function verifyResponseWhenMissingAuthentication(ResponseInterface $re
     $this->assertResourceErrorResponse(401, 'No authentication credentials provided.', $response);
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  protected function assertAuthenticationEdgeCases($method, Url $url, array $request_options) {}
+
 }
diff --git a/core/modules/rest/tests/src/Functional/CookieResourceTestTrait.php b/core/modules/rest/tests/src/Functional/CookieResourceTestTrait.php
new file mode 100644
index 0000000..500cfe2
--- /dev/null
+++ b/core/modules/rest/tests/src/Functional/CookieResourceTestTrait.php
@@ -0,0 +1,98 @@
+<?php
+
+namespace Drupal\Tests\rest\Functional;
+
+use Drupal\Core\Url;
+use GuzzleHttp\RequestOptions;
+use Psr\Http\Message\ResponseInterface;
+
+/**
+ * ResourceTestBase::getAuthenticationRequestOptions() for cookie.
+ */
+trait CookieResourceTestTrait {
+
+
+  protected $sessionCookie;
+
+  protected $csrfToken;
+
+  protected $logoutToken;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function initAuthentication() {
+    // @todo Remove the hardcoded use of the 'json' format, and use static::$format + static::$mimeType instead, once https://www.drupal.org/node/2820888 is fixed.
+    $user_login_url = Url::fromRoute('user.login.http')
+      ->setRouteParameter('_format', 'json');
+
+    $request_body = [
+      'name' => $this->account->name->value,
+      'pass' => $this->account->passRaw,
+    ];
+
+    $request_options[RequestOptions::BODY] = $this->serializer->encode($request_body, 'json');
+    $request_options[RequestOptions::HEADERS]['Accept'] = 'application/json';
+    $response = $this->request('POST', $user_login_url, $request_options);
+
+    // Parse and store the session cookie.
+    $this->sessionCookie = explode(';', $response->getHeader('Set-Cookie')[0], 2)[0];
+
+    // Parse and store the CSRF token and logout token.
+    $data = $this->serializer->decode($response->getBody()->getContents(), static::$format);
+    $this->csrfToken = $data['csrf_token'];
+    $this->logoutToken = $data['logout_token'];
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function getAuthenticationRequestOptions($method) {
+    $request_options[RequestOptions::HEADERS]['Cookie'] = $this->sessionCookie;
+    if (!in_array($method, ['HEAD', 'GET'])) {
+      $request_options[RequestOptions::HEADERS]['X-CSRF-Token'] = $this->csrfToken;
+    }
+    return $request_options;
+  }
+
+  // @todo XCSRF token missing/invalid edge cases!!!!!!!!!!!
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function verifyResponseWhenMissingAuthentication(ResponseInterface $response) {
+    $this->assertResourceErrorResponse(403, '', $response);
+  }
+
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function assertAuthenticationEdgeCases($method, Url $url, array $request_options) {
+    // X-CSRF-Token request header is unnecessary for safe HTTP methods. No need
+    // for additional assertions.
+    if (in_array($method, ['HEAD', 'GET'])) {
+      return;
+    }
+
+
+    unset($request_options[RequestOptions::HEADERS]['X-CSRF-Token']);
+
+
+    // DX: 403 when missing X-CSRF-Token request header.
+    $response = $this->request($method, $url, $request_options);
+    $this->assertResourceErrorResponse(403, 'X-CSRF-Token request header is missing', $response);
+
+
+    $request_options[RequestOptions::HEADERS]['X-CSRF-Token'] = 'this-is-not-the-token-you-are-looking-for';
+
+
+    // DX: 403 when invalid X-CSRF-Token request header.
+    $response = $this->request($method, $url, $request_options);
+    $this->assertResourceErrorResponse(403, 'X-CSRF-Token request header is invalid', $response);
+
+
+    $request_options[RequestOptions::HEADERS]['X-CSRF-Token'] = $this->csrfToken;
+  }
+
+}
diff --git a/core/modules/rest/tests/src/Functional/EntityResource/Block/BlockJsonCookieTest.php b/core/modules/rest/tests/src/Functional/EntityResource/Block/BlockJsonCookieTest.php
new file mode 100644
index 0000000..f609448
--- /dev/null
+++ b/core/modules/rest/tests/src/Functional/EntityResource/Block/BlockJsonCookieTest.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Drupal\Tests\rest\Functional\EntityResource\Block;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group rest
+ */
+class BlockJsonCookieTest extends BlockResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/rest/tests/src/Functional/EntityResource/Comment/CommentJsonCookieTest.php b/core/modules/rest/tests/src/Functional/EntityResource/Comment/CommentJsonCookieTest.php
new file mode 100644
index 0000000..967baa5
--- /dev/null
+++ b/core/modules/rest/tests/src/Functional/EntityResource/Comment/CommentJsonCookieTest.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Drupal\Tests\rest\Functional\EntityResource\Comment;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group rest
+ */
+class CommentJsonCookieTest extends CommentResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/rest/tests/src/Functional/EntityResource/Comment/CommentResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/Comment/CommentResourceTestBase.php
index 7205f9c..020a755 100644
--- a/core/modules/rest/tests/src/Functional/EntityResource/Comment/CommentResourceTestBase.php
+++ b/core/modules/rest/tests/src/Functional/EntityResource/Comment/CommentResourceTestBase.php
@@ -208,6 +208,7 @@ protected function getNormalizedEntityToCreate() {
   }
 
   public function testPostDxWithoutCriticalBaseFields() {
+    $this->initAuthentication();
     $this->provisionEntityResource();
     $this->setUpAuthorization('POST');
 
@@ -215,7 +216,7 @@ public function testPostDxWithoutCriticalBaseFields() {
     $request_options = [];
     $request_options[RequestOptions::HEADERS]['Accept'] = static::$mimeType;
     $request_options[RequestOptions::HEADERS]['Content-Type'] = static::$mimeType;
-    $request_options = array_merge_recursive($request_options, $this->getAuthenticationRequestOptions());
+    $request_options = array_merge_recursive($request_options, $this->getAuthenticationRequestOptions('POST'));
 
     // DX: 422 when missing 'entity_type' field.
     $request_options[RequestOptions::BODY] = $this->serializer->encode(array_diff_key($this->getNormalizedEntityToCreate(), ['entity_type' => TRUE]), static::$format);
diff --git a/core/modules/rest/tests/src/Functional/EntityResource/ConfigTest/ConfigTestJsonCookieTest.php b/core/modules/rest/tests/src/Functional/EntityResource/ConfigTest/ConfigTestJsonCookieTest.php
new file mode 100644
index 0000000..c243bde
--- /dev/null
+++ b/core/modules/rest/tests/src/Functional/EntityResource/ConfigTest/ConfigTestJsonCookieTest.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Drupal\Tests\rest\Functional\EntityResource\ConfigTest;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group rest
+ */
+class ConfigTestJsonCookieTest extends ConfigTestResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php
index 7875c8d..d5b90f6 100644
--- a/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php
+++ b/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php
@@ -149,6 +149,7 @@ public function setUp() {
   abstract protected function getExpectedNormalizedEntity();
 
   public function testGet() {
+    $this->initAuthentication();
     $has_canonical_url = $this->entity->hasLinkTemplate('canonical');
 
     // The URL and Guzzle request options that will be used in this test. The
@@ -189,7 +190,7 @@ public function testGet() {
     // DX: 406 when ?_format is missing, except when requesting a canonical HTML
     // route.
     $response = $this->request('GET', $url, $request_options);
-    if ($has_canonical_url && !static::$auth) {
+    if ($has_canonical_url && (!static::$auth || static::$auth === 'cookie')) {
       $this->assertSame(403, $response->getStatusCode());
     }
     else {
@@ -207,7 +208,7 @@ public function testGet() {
       $this->verifyResponseWhenMissingAuthentication($response);
     }
 
-    $request_options = array_merge_recursive($request_options, $this->getAuthenticationRequestOptions());
+    $request_options = array_merge_recursive($request_options, $this->getAuthenticationRequestOptions('GET'));
 
 
     // DX: 403 when unauthorized.
@@ -327,6 +328,7 @@ public function testPost() {
       return;
     }
 
+    $this->initAuthentication();
     $has_canonical_url = $this->entity->hasLinkTemplate('canonical');
 
     // Try with all of the following request bodies.
@@ -424,7 +426,7 @@ public function testPost() {
     }
 
 
-    $request_options = array_merge_recursive($request_options, $this->getAuthenticationRequestOptions());
+    $request_options = array_merge_recursive($request_options, $this->getAuthenticationRequestOptions('POST'));
 
 
     // DX: 403 when unauthorized.
@@ -470,6 +472,10 @@ public function testPost() {
     $request_options[RequestOptions::BODY] = $parseable_valid_request_body;
 
 
+    // Before sending a well-formed request, allow the authentication provider's
+    // edge cases to also be tested.
+    $this->assertAuthenticationEdgeCases('POST', $url, $request_options);
+
     // 201 for well-formed request.
     $response = $this->request('POST', $url, $request_options);
     $this->assertResourceResponse(201, FALSE, $response);
@@ -549,24 +555,4 @@ protected function assert406Response(ResponseInterface $response) {
     }
   }
 
-  /**
-   * Simulate common developer mistake when performing an unsafe operation:
-   * - forget to specify the X-CSRF-Token request header
-   * - specify in invalid X-CSRF-Token request header value
-   *
-   * In either case, the REST module must provide meaningful feedback for DX.
-   */
-  protected function performUnsafeOperation($method) {
-    // Try without CSRF token
-    // …request
-    $this->assertSame(403, $this->getSession()->getStatusCode());
-    $this->assertSession()->responseContains('X-CSRF-Token request header is missing');
-    // Try with invalid CSRF token
-    // …request
-    $this->assertSame(403, $this->getSession()->getStatusCode());
-    $this->assertSession()->responseContains('X-CSRF-Token request header is invalid');
-    // Try with valid CSRF token
-    // …request
-  }
-
 }
diff --git a/core/modules/rest/tests/src/Functional/EntityResource/EntityTest/EntityTestJsonCookieTest.php b/core/modules/rest/tests/src/Functional/EntityResource/EntityTest/EntityTestJsonCookieTest.php
new file mode 100644
index 0000000..8407922
--- /dev/null
+++ b/core/modules/rest/tests/src/Functional/EntityResource/EntityTest/EntityTestJsonCookieTest.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Drupal\Tests\rest\Functional\EntityResource\EntityTest;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group rest
+ */
+class EntityTestJsonCookieTest extends EntityTestResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/rest/tests/src/Functional/EntityResource/Node/NodeJsonCookieTest.php b/core/modules/rest/tests/src/Functional/EntityResource/Node/NodeJsonCookieTest.php
new file mode 100644
index 0000000..f0bd653
--- /dev/null
+++ b/core/modules/rest/tests/src/Functional/EntityResource/Node/NodeJsonCookieTest.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Drupal\Tests\rest\Functional\EntityResource\Node;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group rest
+ */
+class NodeJsonCookieTest extends NodeResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/rest/tests/src/Functional/EntityResource/Role/RoleJsonCookieTest.php b/core/modules/rest/tests/src/Functional/EntityResource/Role/RoleJsonCookieTest.php
new file mode 100644
index 0000000..3aa4149
--- /dev/null
+++ b/core/modules/rest/tests/src/Functional/EntityResource/Role/RoleJsonCookieTest.php
@@ -0,0 +1,36 @@
+<?php
+
+namespace Drupal\Tests\rest\Functional\EntityResource\Role;
+
+use Drupal\Tests\rest\Functional\BasicAuthResourceTestTrait;
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+use Psr\Http\Message\ResponseInterface;
+
+/**
+ * @group rest
+ */
+class RoleJsonCookieTest extends RoleResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/rest/tests/src/Functional/EntityResource/Term/TermJsonCookieTest.php b/core/modules/rest/tests/src/Functional/EntityResource/Term/TermJsonCookieTest.php
new file mode 100644
index 0000000..6268a74
--- /dev/null
+++ b/core/modules/rest/tests/src/Functional/EntityResource/Term/TermJsonCookieTest.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Drupal\Tests\rest\Functional\EntityResource\Term;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group rest
+ */
+class TermJsonCookieTest extends TermResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/rest/tests/src/Functional/EntityResource/User/UserJsonCookieTest.php b/core/modules/rest/tests/src/Functional/EntityResource/User/UserJsonCookieTest.php
new file mode 100644
index 0000000..12ee0c9
--- /dev/null
+++ b/core/modules/rest/tests/src/Functional/EntityResource/User/UserJsonCookieTest.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Drupal\Tests\rest\Functional\EntityResource\User;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group rest
+ */
+class UserJsonCookieTest extends UserResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/rest/tests/src/Functional/EntityResource/Vocabulary/VocabularyJsonCookieTest.php b/core/modules/rest/tests/src/Functional/EntityResource/Vocabulary/VocabularyJsonCookieTest.php
new file mode 100644
index 0000000..f8939c6
--- /dev/null
+++ b/core/modules/rest/tests/src/Functional/EntityResource/Vocabulary/VocabularyJsonCookieTest.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Drupal\Tests\rest\Functional\EntityResource\Vocabulary;
+
+use Drupal\Tests\rest\Functional\CookieResourceTestTrait;
+
+/**
+ * @group rest
+ */
+class VocabularyJsonCookieTest extends VocabularyResourceTestBase {
+
+  use CookieResourceTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $format = 'json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $mimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $expectedErrorMimeType = 'application/json';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $auth = 'cookie';
+
+}
diff --git a/core/modules/rest/tests/src/Functional/ResourceTestBase.php b/core/modules/rest/tests/src/Functional/ResourceTestBase.php
index dac5305..fe75a7e 100644
--- a/core/modules/rest/tests/src/Functional/ResourceTestBase.php
+++ b/core/modules/rest/tests/src/Functional/ResourceTestBase.php
@@ -183,14 +183,40 @@ protected function provisionResource($resource_type, $formats = [], $authenticat
   abstract protected function verifyResponseWhenMissingAuthentication(ResponseInterface $response);
 
   /**
+   * Asserts authentication provider-specific edge cases.
+   *
+   * (Should be called before sending a well-formed request.)
+   *
+   * @see \GuzzleHttp\ClientInterface::request()
+   *
+   * @param string $method
+   *   HTTP method.
+   * @param \Drupal\Core\Url $url
+   *   URL to request.
+   * @param array $request_options
+   *   Request options to apply.
+   */
+  abstract protected function assertAuthenticationEdgeCases($method, Url $url, array $request_options);
+
+  /**
+   * Initializes authentication.
+   *
+   * E.g. for cookie authentication, we first need to get a cookie.
+   */
+  protected function initAuthentication() {}
+
+  /**
    * Returns Guzzle request options for authentication.
    *
+   * @param string $method
+   *   The HTTP method for this authenticated request.
+   *
    * @return array
    *   Guzzle request options to use for authentication.
    *
    * @see \GuzzleHttp\ClientInterface::request()
    */
-  protected function getAuthenticationRequestOptions() {
+  protected function getAuthenticationRequestOptions($method) {
     return [];
   }