diff --git a/core/includes/bootstrap.inc b/core/includes/bootstrap.inc
index f6fb6d6..5c12267 100644
--- a/core/includes/bootstrap.inc
+++ b/core/includes/bootstrap.inc
@@ -2456,6 +2456,17 @@ function drupal_container(Container $new_container = NULL, $rebuild = FALSE) {
     $container
       ->register('state.storage', 'Drupal\Core\KeyValueStore\DatabaseStorage')
       ->addArgument('state');
+
+    // Register the session service.
+    $container->register('session.storage.backend', 'Drupal\Core\Session\Handler\DatabaseSessionHandler');
+    $container->register('session.storage.proxy', 'Drupal\Core\Session\Proxy\CookieOverrideProxy')
+      ->addArgument(new Reference('session.storage.backend'));
+    $container->setParameter('session.storage.options', array());
+    $container->register('session.storage', 'Drupal\Core\Session\Storage\DrupalSessionStorage')
+      ->addArgument('%session.storage.options%')
+      ->addArgument(new Reference('session.storage.proxy'));
+    $container->register('session', 'Drupal\Core\Session\Session')
+      ->addArgument(new Reference('session.storage'));
   }
   return $container;
 }
diff --git a/core/includes/common.inc b/core/includes/common.inc
index aea8529..b48e4ad 100644
--- a/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -5001,7 +5001,8 @@ function drupal_cron_run() {
 
   // Prevent session information from being saved while cron is running.
   $original_session_saving = drupal_save_session();
-  drupal_save_session(FALSE);
+  $session = drupal_container()->get('session');
+  $session->disableSave();
 
   // Force the current user to anonymous to ensure consistent permissions on
   // cron runs.
@@ -5067,7 +5068,7 @@ function drupal_cron_run() {
   }
   // Restore the user.
   $GLOBALS['user'] = $original_user;
-  drupal_save_session($original_session_saving);
+  $session->enableSave();
 
   return $return;
 }
diff --git a/core/includes/session.inc b/core/includes/session.inc
index b9b8fbc..d134138 100644
--- a/core/includes/session.inc
+++ b/core/includes/session.inc
@@ -4,329 +4,307 @@
  * @file
  * User session handling functions.
  *
- * The user-level session storage handlers:
- * - _drupal_session_open()
- * - _drupal_session_close()
- * - _drupal_session_read()
- * - _drupal_session_write()
- * - _drupal_session_destroy()
- * - _drupal_session_garbage_collection()
- * are assigned by session_set_save_handler() in bootstrap.inc and are called
- * automatically by PHP. These functions should not be called directly. Session
- * data should instead be accessed via the $_SESSION superglobal.
- */
-
-/**
- * Session handler assigned by session_set_save_handler().
+ * This file is the first Symfony session usage test. It works gracefully but
+ * some core features had to be removed in order to make it work:
  *
- * This function is used to handle any initialization, such as file paths or
- * database connections, that is needed before accessing session data. Drupal
- * does not need to initialize anything in this function.
+ *  - Dual session cookie handling (HTTP and HTTPS): this must be implemented
+ *    in the custom SessionProxy instance, but today the Symfony framework
+ *    doesn't allow us to implement it fully in there.
+ *    An native implementation that bypass PHP cookie handling and replace it
+ *    by our own, emulating the exact same feature is provided as the
+ *    Drupal\Core\Session\NativeSessionTokenProvider class.
  *
- * This function should not be called directly.
+ *  - The user fetch has been decoupled from Database session storage, thus it
+ *    make one extra SQL query per authenticated page run: we cannot avoid this
+ *    in order to decouple the storage from the user handling. May be in a late
+ *    future we could actually write the serialize user token data into the
+ *    session itself thus avoiding this extra SQL query (as Symfony does per
+ *    default in its Security component).
  *
- * @return
- *   This function will always return TRUE.
- */
-function _drupal_session_open() {
-  return TRUE;
-}
-
-/**
- * Session handler assigned by session_set_save_handler().
+ *  - We cannot delete session by uid, this regression may be the worse. We can
+ *    actually bypass that by ensuring a strict user validity check on session
+ *    read to ensure there is no security implications. In order to make sure
+ *    that invalid session do not stall, we could implement a better garbage
+ *    collection algorithm in database session storage (and definitely remove
+ *    the function that allows session destroy by uid): other backends could
+ *    then implement their own if they can or rely on strict user check on read
+ *    and session timeout otherwise (which functionally will behave the same,
+ *    except that more sessions would stall into the storage, but for a limited
+ *    amount of time).
  *
- * This function is used to close the current session. Because Drupal stores
- * session data in the database immediately on write, this function does
- * not need to do anything.
+ * New good stuff:
  *
- * This function should not be called directly.
+ *  - As written upper, the cookie handling is decoupled from core session
+ *    handling and storage.
  *
- * @return
- *   This function will always return TRUE.
- */
-function _drupal_session_close() {
-  return TRUE;
-}
-
-/**
- * Reads an entire session from the database (internal use only).
+ *  - As written upper, the user token fetch is decoupled from core session
+ *    handling and storage.
  *
- * Also initializes the $user object for the user associated with the session.
- * This function is registered with session_set_save_handler() to support
- * database-backed sessions. It is called on every page load when PHP sets
- * up the $_SESSION superglobal.
+ *  - The design is based upon lazy session write and not lazy session init.
+ *    This means that session will almost always be started and components put
+ *    in place and fully working even if session is not needed, but the session
+ *    token (per default the cookie) will be sent to the client only if he is
+ *    logged or if session data is not empty, thus void sessions will have a
+ *    void impact and will trigger no data write.
  *
- * This function is an internal function and must not be called directly.
- * Doing so may result in logging out the current user, corrupting session data
- * or other unexpected behavior. Session data must always be accessed via the
- * $_SESSION superglobal.
+ *  - Currently the session init function still exists and is necessary, it
+ *    moves all real initialization into the container.
  *
- * @param $sid
- *   The session ID of the session to retrieve.
+ *  - We actually remove a lot of code relying on Symfony's session storage.
  *
- * @return
- *   The user's session, or an empty string if no session exists.
+ *  - We don't need to replace the session.inc file for allowing another session
+ *    storage backend, it's now configurable.
+ *
+ *  - The actual design allows us to use the PHP native session handling just
+ *    by setting the 'session_storage_backend' to
+ *    Symfony\Component\HttpFoundation\SessionStorage\NativeSessionStorage
+ *    It uses per default the database implementation ported to
+ *    Drupal\Core\Session\DatabaseSessionStorage
+ *
+ * Some way to improve this code:
+ *
+ *  - Right now, flash messages are not being used, they will be in the future
+ *    but 2.0 Symfony's HttpFoundation component can not allow us to do that
+ *    because we can't set multiple flash messages per type (error, info, ...).
+ *
+ *  - The Symfony's session handling does not allow a storage direct access per
+ *    design, except if we keep the storage reference somewhere: this means that
+ *    every piece of data we actually store into the Session object attributes
+ *    are stored into the '_symfony2' key as a serialized array: this is by
+ *    design with Symfony 2 because they want to exclude potential framework
+ *    session access conflicts. This design implies we will never be able to
+ *    provide key level locking at the storage level: we are doomed to implement
+ *    the session locking at global session level. This means that any parallel
+ *    AJAX requests will block one another when the user is logged in.
+ *
+ *  - Regarding the above statement, Symfony's session handling design also
+ *    disallow us to use the $_SESSION super global directly. While this is a
+ *    good thing, we have to be careful and fix every bit of code using it.
+ *
+ *  - We have a chicken and egg problem: the database storage does not rely on
+ *    uid field anymore, which means it won't try to update or insert it when
+ *    writting session: in order for this code to work, you must reinstall core
+ *    properly or run the update.php in a session less environment in order to
+ *    ensure that no write access on the table will be made until the update
+ *    ran.
+ *
+ *  - If we switch to 2.1 version of Symfony, we will have to port some specific
+ *    stuff, such as the DatabaseSessionStorage. Aside of that nothing should
+ *    change for us. The only exception seems to be for Flash messages, but we
+ *    will port Drupal messages to Symfony Flash messages only once the core
+ *    session is working and accepted.
+ *
+ *  - The real lazy session loading will come only if we have a lazy user
+ *    loading that relies itself on session.
+ *
+ * Then, for performance matters we could do:
+ *
+ *  - Implement the user token being actively stored into the session data
+ *    instead of being reload. This implies that, for security matters, we need
+ *    to check user token validity on session start: we will remove at least two
+ *    SQL queries (one of user fetch, the other for roles fetch) but we will add
+ *    at least one SQL query (check user validity). The ratio seems good but the
+ *    design a bit more complex, this still is higly doable.
+ *
+ *  - Lazy user loading.
  */
-function _drupal_session_read($sid) {
-  global $user, $is_https;
 
-  // Write and Close handlers are called after destructing objects
-  // since PHP 5.0.5.
-  // Thus destructors can use sessions but session handler can't use objects.
-  // So we are moving session closure before destructing objects.
-  drupal_register_shutdown_function('session_write_close');
+use Drupal\Core\Session\Storage\DrupalSessionStorage;
+use Drupal\Core\Session\Handler\DatabaseSessionHandler;
+use Drupal\Core\Session\Proxy\CookieOverrideProxy;
+use Drupal\Core\Session\Session;
 
-  // Handle the case of first time visitors and clients that don't store
-  // cookies (eg. web crawlers).
-  $insecure_session_name = substr(session_name(), 1);
-  if (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name])) {
-    $user = drupal_anonymous_user();
-    return '';
-  }
-
-  // Otherwise, if the session is still active, we have a record of the
-  // client's session in the database. If it's HTTPS then we are either have
-  // a HTTPS session or we are about to log in so we check the sessions table
-  // for an anonymous session with the non-HTTPS-only cookie.
-  if ($is_https) {
-    $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.ssid = :ssid", array(':ssid' => $sid))->fetchObject();
-    if (!$user) {
-      if (isset($_COOKIE[$insecure_session_name])) {
-        $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid AND s.uid = 0", array(
-        ':sid' => $_COOKIE[$insecure_session_name]))
-        ->fetchObject();
-      }
-    }
-  }
-  else {
-    $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid", array(':sid' => $sid))->fetchObject();
+/**
+ * Initializes the session handler, starting a session if needed.
+ *
+ * @todo Move this into a lazy user loading once Drupal will got a fully
+ * featured component registry (aKa DIC).
+ */
+function drupal_session_initialize() {
+  // Symfony does not want to do it by itself, so we need to manually load
+  // the SessionHandlerInterface file if PHP core is prior to 5.4.0
+  // This is handled by the autoloader in Symfony, I don't know if this would
+  // be a good idea for us to do the same.
+  if (version_compare(phpversion(), '5.4.0', '<')) {
+    require_once DRUPAL_ROOT . '/core/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Resources/stubs/SessionHandlerInterface.php';
   }
 
-  // We found the client's session record and they are an authenticated,
-  // active user.
-  if ($user && $user->uid > 0 && $user->status == 1) {
-    // This is done to unserialize the data member of $user.
-    $user->data = unserialize($user->data);
+  // @todo: See if it fits with the new plugin API once commited.
+  // @todo: In all case, see if it fits with CMI too (early init).
+  $class = variable_get('session_storage_backend');
 
-    // Add roles element to $user.
-    $user->roles = array();
-    $user->roles[DRUPAL_AUTHENTICATED_RID] = DRUPAL_AUTHENTICATED_RID;
-    $user->roles += db_query("SELECT ur.rid FROM {users_roles} ur WHERE ur.uid = :uid", array(':uid' => $user->uid))->fetchAllKeyed(0, 0);
-  }
-  elseif ($user) {
-    // The user is anonymous or blocked. Only preserve two fields from the
-    // {sessions} table.
-    $account = drupal_anonymous_user();
-    $account->session = $user->session;
-    $account->timestamp = $user->timestamp;
-    $user = $account;
+  // @todo: We should log failed class loading for debugging, but for that we
+  // need an early watchdog function that logs into a file if the database is
+  // not present.
+  if ($class && class_exists($class)) {
+    $handler = new $class();
   }
   else {
-    // The session has expired.
-    $user = drupal_anonymous_user();
-    $user->session = '';
+    $handler = new DatabaseSessionHandler();
   }
 
-  // Store the session that was read for comparison in _drupal_session_write().
-  $last_read = &drupal_static('drupal_session_last_read');
-  $last_read = array(
-    'sid' => $sid,
-    'value' => $user->session,
-  );
+  // @todo Replace this with container definitions instead, for lazy init
+  // and compilation purposes.
+  $storage = new DrupalSessionStorage(array(), new CookieOverrideProxy($handler));
+  $session = new Session($storage);
 
-  return $user->session;
+  $session = drupal_container()->set('session', $session);
+
+  // The function will check for session attributes, which will trigger the
+  // session auto start by the SessionStorageInterface attribute access.
+  // We don't need lazy initialization since the design is based upon lazy
+  // write, forcing a session creation is almost no effect.
+  // @todo: Move all the code above into a kernel listener?
+  _drupal_session_load_user();
 }
 
 /**
- * Writes an entire session to the database (internal use only).
+ * Load user using the uid the session actually holds.
  *
- * This function is registered with session_set_save_handler() to support
- * database-backed sessions.
+ * FIXME: Ideally this would be exported into the user module or any other
+ * system and the user would be lazy loaded on first access attempt, thus
+ * allowing real session lazy load for pages that don't do any user access
+ * checks.
  *
- * This function is an internal function and must not be called directly.
- * Doing so may result in corrupted session data or other unexpected behavior.
- * Session data must always be accessed via the $_SESSION superglobal.
+ * @todo: Replace this with a container lazy initialization function instead.
  *
- * @param $sid
- *   The session ID of the session to write to.
- * @param $value
- *   Session data to write as a serialized string.
+ * @return object
+ *   User account
  *
- * @return
- *   Always returns TRUE.
+ * @see drupal_session_initialize()
+ * @deprecated
  */
-function _drupal_session_write($sid, $value) {
-  global $user, $is_https;
-
-  // The exception handler is not active at this point, so we need to do it
-  // manually.
-  try {
-    if (!drupal_save_session()) {
-      // We don't have anything to do if we are not allowed to save the session.
-      return;
-    }
-
-    // Check whether $_SESSION has been changed in this request.
-    $last_read = &drupal_static('drupal_session_last_read');
-    $is_changed = !isset($last_read) || $last_read['sid'] != $sid || $last_read['value'] !== $value;
-
-    // For performance reasons, do not update the sessions table, unless
-    // $_SESSION has changed or more than 180 has passed since the last update.
-    if ($is_changed || !isset($user->timestamp) || REQUEST_TIME - $user->timestamp > variable_get('session_write_interval', 180)) {
-      // Either ssid or sid or both will be added from $key below.
-      $fields = array(
-        'uid' => $user->uid,
-        'hostname' => ip_address(),
-        'session' => $value,
-        'timestamp' => REQUEST_TIME,
-      );
-
-      // Use the session ID as 'sid' and an empty string as 'ssid' by default.
-      // _drupal_session_read() does not allow empty strings so that's a safe
-      // default.
-      $key = array('sid' => $sid, 'ssid' => '');
-      // On HTTPS connections, use the session ID as both 'sid' and 'ssid'.
-      if ($is_https) {
-        $key['ssid'] = $sid;
-        // The "secure pages" setting allows a site to simultaneously use both
-        // secure and insecure session cookies. If enabled and both cookies are
-        // presented then use both keys.
-        if (variable_get('https', FALSE)) {
-          $insecure_session_name = substr(session_name(), 1);
-          if (isset($_COOKIE[$insecure_session_name])) {
-            $key['sid'] = $_COOKIE[$insecure_session_name];
-          }
-        }
-      }
-      elseif (variable_get('https', FALSE)) {
-        unset($key['ssid']);
-      }
-
-      db_merge('sessions')
-        ->key($key)
-        ->fields($fields)
-        ->execute();
+function _drupal_session_load_user() {
+  global $user;
+
+  $session = drupal_container()->get('session');
+
+  if ($session->has('uid') && ($uid = $session->get('uid'))) {
+
+    $user = db_select('users', 'u')
+      ->fields('u')
+      ->condition('u.uid', $session->get('uid'))
+      ->execute()
+      ->fetch();
+
+    if ($user && $user->uid > 0 && $user->status == 1) {
+      // We found the client's session record and there is an authenticated
+      // active user.
+      $user->data = unserialize($user->data);
+      $user->roles = array();
+      $user->roles[DRUPAL_AUTHENTICATED_RID] = 'authenticated user';
+      $user->roles += db_query("SELECT r.rid, r.name FROM {role} r INNER JOIN {users_roles} ur ON ur.rid = r.rid WHERE ur.uid = :uid", array(':uid' => $user->uid))->fetchAllKeyed(0, 1);
+      return $user;
     }
-
-    // Likewise, do not update access time more than once per 180 seconds.
-    if ($user->uid && REQUEST_TIME - $user->access > variable_get('session_write_interval', 180)) {
-      db_update('users')
-        ->fields(array(
-          'access' => REQUEST_TIME
-        ))
-        ->condition('uid', $user->uid)
-        ->execute();
+    elseif ($user) {
+      // The user is anonymous or blocked.
+      $user = drupal_anonymous_user();
     }
-
-    return TRUE;
-  }
-  catch (Exception $exception) {
-    require_once DRUPAL_ROOT . '/core/includes/errors.inc';
-    // If we are displaying errors, then do so with no possibility of a further
-    // uncaught exception being thrown.
-    if (error_displayable()) {
-      print '<h1>Uncaught exception thrown in session handler.</h1>';
-      print '<p>' . _drupal_render_exception_safe($exception) . '</p><hr />';
-    }
-    return FALSE;
-  }
-}
-
-/**
- * Initializes the session handler, starting a session if needed.
- */
-function drupal_session_initialize() {
-  global $user, $is_https;
-
-  session_set_save_handler('_drupal_session_open', '_drupal_session_close', '_drupal_session_read', '_drupal_session_write', '_drupal_session_destroy', '_drupal_session_garbage_collection');
-
-  // We use !empty() in the following check to ensure that blank session IDs
-  // are not valid.
-  if (!empty($_COOKIE[session_name()]) || ($is_https && variable_get('https', FALSE) && !empty($_COOKIE[substr(session_name(), 1)]))) {
-    // If a session cookie exists, initialize the session. Otherwise the
-    // session is only started on demand in drupal_session_commit(), making
-    // anonymous users not use a session cookie unless something is stored in
-    // $_SESSION. This allows HTTP proxies to cache anonymous pageviews.
-    drupal_session_start();
-    if (!empty($user->uid) || !empty($_SESSION)) {
-      drupal_page_is_cacheable(FALSE);
+    else {
+      // User does not exists anymore or session data has expired.
+      $user = drupal_anonymous_user();
     }
   }
   else {
-    // Set a session identifier for this request. This is necessary because
-    // we lazily start sessions at the end of this request, and some
-    // processes (like drupal_get_token()) needs to know the future
-    // session ID in advance.
-    $GLOBALS['lazy_session'] = TRUE;
+    // No session uid is set, meaning the session does not exists or the user
+    // is anonymous.
     $user = drupal_anonymous_user();
-    // Less random sessions (which are much faster to generate) are used for
-    // anonymous users than are generated in drupal_session_regenerate() when
-    // a user becomes authenticated.
-    session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE)));
-    if ($is_https && variable_get('https', FALSE)) {
-      $insecure_session_name = substr(session_name(), 1);
-      $session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE));
-      $_COOKIE[$insecure_session_name] = $session_id;
-    }
   }
-  date_default_timezone_set(drupal_get_user_timezone());
-}
 
-/**
- * Forcefully starts a session, preserving already set session data.
- *
- * @ingroup php_wrappers
- */
-function drupal_session_start() {
-  // Command line clients do not support cookies nor sessions.
-  if (!drupal_session_started() && !drupal_is_cli()) {
-    // Save current session data before starting it, as PHP will destroy it.
-    $session_data = isset($_SESSION) ? $_SESSION : NULL;
-
-    session_start();
-    drupal_session_started(TRUE);
-
-    // Restore session data.
-    if (!empty($session_data)) {
-      $_SESSION += $session_data;
-    }
+  // Core can cache pages if session is empty (no flash messages) and user
+  // is not logged in.
+  if (!empty($user->uid) || !$session->isEmpty()) {
+    drupal_page_is_cacheable(FALSE);
   }
+
+  date_default_timezone_set(drupal_get_user_timezone());
 }
 
 /**
  * Commits the current session, if necessary.
- *
- * If an anonymous user already have an empty session, destroy it.
+ * @todo: This should move into an AbstractProxy implementation instead.
  */
 function drupal_session_commit() {
-  global $user, $is_https;
+  global $user;
+
+  $session = drupal_container()->get('session');
+
+  if (!$session->isSaveEnabled()) {
+    // In case business layer specifically asked for not saving the session, we
+    // need to unregister potential handlers the Symfony session storage
+    // component may have registered for us. Considering that this function is
+    // only run when Drupal is doing its proper shutdown, we can safely assume
+    // the session has not been automatically saved by PHP at shutdown.
+    // Notice that this check is duplicated into the Session::save() method in
+    // order to avoid accidental save. This check here only exists for minor
+    // performance reasons.
+    return;
+  }
+
+  if (empty($user->uid)) {
+    // Ensure there is no 'uid' set in session. Keeping an outdated or empty
+    // session 'uid' attributes would taint the Session::isEmpty() check and
+    // give potential false positives, thus forcing empty session to be saved.
+    $session->remove('uid');
+  }
 
+  // Nothing to do if we are not allowed to change the session.
   if (!drupal_save_session()) {
-    // We don't have anything to do if we are not allowed to save the session.
     return;
   }
 
-  if (empty($user->uid) && empty($_SESSION)) {
-    // There is no session data to store, destroy the session if it was
-    // previously started.
-    if (drupal_session_started()) {
-      session_destroy();
+  if ($is_https && variable_get('https', FALSE)) {
+    $insecure_session_name = substr(session_name(), 1);
+    if (!isset($GLOBALS['lazy_session']) && isset($_COOKIE[$insecure_session_name])) {
+      $old_insecure_session_id = $_COOKIE[$insecure_session_name];
     }
+    $params = session_get_cookie_params();
+    $session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55));
+    // If a session cookie lifetime is set, the session will expire
+    // $params['lifetime'] seconds from the current request. If it is not set,
+    // it will expire when the browser is closed.
+    $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
+    setcookie($insecure_session_name, $session_id, $expire, $params['path'], $params['domain'], FALSE, $params['httponly']);
+    $_COOKIE[$insecure_session_name] = $session_id;
+  }
+  else if (!empty($user->uid)) {
+    // Ensure the uid is set into session, forcing it to reflect the user really
+    // being logged in and may prevent some security hijack attemps.
+    $session->set('uid', $user->uid);
+  }
+
+  if ($session->isEmpty()) {
+    // Force any empty session to be destroyed, this will avoid next bootstrap
+    // with the same client to attempt a useless user initialization and session
+    // read thus saving precious SQL queries.
+    $session->invalidate();
   }
   else {
-    // There is session data to store. Start the session if it is not already
-    // started.
-    if (!drupal_session_started()) {
-      drupal_session_start();
-      if ($is_https && variable_get('https', FALSE)) {
-        $insecure_session_name = substr(session_name(), 1);
-        $params = session_get_cookie_params();
-        $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
-        setcookie($insecure_session_name, $_COOKIE[$insecure_session_name], $expire, $params['path'], $params['domain'], FALSE, $params['httponly']);
-      }
-    }
-    // Write the session data.
-    session_write_close();
+    // Save the session only if necessary.
+    $session->save();
+  }
+  // Nothing to do if we are not allowed to change the session.
+  if (!drupal_save_session()) {
+    return;
+  }
+
+  // Delete session data.
+  db_delete('sessions')
+    ->condition($is_https ? 'ssid' : 'sid', $sid)
+    ->execute();
+
+  // Reset $_SESSION and $user to prevent a new session from being started
+  // in drupal_session_commit().
+  $_SESSION = array();
+  $user = drupal_anonymous_user();
+
+  // Unset the session cookies.
+  _drupal_session_delete_cookie(session_name());
+  if ($is_https) {
+    _drupal_session_delete_cookie(substr(session_name(), 1), FALSE);
+  }
+  elseif (variable_get('https', FALSE)) {
+    _drupal_session_delete_cookie('S' . session_name(), TRUE);
   }
 }
 
@@ -529,5 +507,4 @@ function drupal_save_session($status = NULL) {
   if (isset($status)) {
     $save_session = $status;
   }
-  return $save_session;
 }
diff --git a/core/lib/Drupal/Core/CoreBundle.php b/core/lib/Drupal/Core/CoreBundle.php
index 4ad6726..ba02306 100644
--- a/core/lib/Drupal/Core/CoreBundle.php
+++ b/core/lib/Drupal/Core/CoreBundle.php
@@ -53,6 +53,17 @@ class CoreBundle extends Bundle
       ->setFactoryMethod('getConnection')
       ->addArgument('slave');
 
+    // Register the session service.
+    $container->register('session.storage.backend', 'Drupal\Core\Session\Handler\DatabaseSessionHandler');
+    $container->register('session.storage.proxy', 'Drupal\Core\Session\Proxy\CookieOverrideProxy')
+      ->addArgument(new Reference('session.storage.backend'));
+    $container->setParameter('session.storage.options', array());
+    $container->register('session.storage', 'Drupal\Core\Session\Storage\DrupalSessionStorage')
+      ->addArgument('%session.storage.options%')
+      ->addArgument(new Reference('session.storage.proxy'));
+    $container->register('session', 'Drupal\Core\Session\Session')
+      ->addArgument(new Reference('session.storage'));
+
     // @todo Replace below lines with the commented out block below it when it's
     //   performant to do so: http://drupal.org/node/1706064.
     $dispatcher = $container->get('dispatcher');
diff --git a/core/lib/Drupal/Core/Session/Handler/DatabaseSessionHandler.php b/core/lib/Drupal/Core/Session/Handler/DatabaseSessionHandler.php
new file mode 100644
index 0000000..7a99aba
--- /dev/null
+++ b/core/lib/Drupal/Core/Session/Handler/DatabaseSessionHandler.php
@@ -0,0 +1,63 @@
+<?php
+
+namespace Drupal\Core\Session\Handler;
+
+/**
+ * Drupal database session handler, load and save sessions using the {sessions}
+ * table throught DBTng.
+ */
+class DatabaseSessionHandler implements \SessionHandlerInterface {
+  public function open($savePath, $sessionName) {
+    return TRUE;
+  }
+
+  public function close() {
+    return TRUE;
+  }
+
+  public function destroy($sessionId) {
+    try {
+      db_delete('sessions')->condition('sid', $sessionId)->execute();
+    }
+    catch (\PDOException $e) {
+      throw new \RuntimeException(sprintf('PDOException was thrown when trying to manipulate session data: %s', $e->getMessage()), 0, $e);
+    }
+
+    return TRUE;
+  }
+
+  public function gc($lifetime) {
+    try {
+      db_delete('sessions')->condition('timestamp', time() - $lifetime, '<')->execute();
+    }
+    catch (\PDOException $e) {
+      throw new \RuntimeException(sprintf('PDOException was thrown when trying to manipulate session data: %s', $e->getMessage()), 0, $e);
+    }
+
+    return TRUE;
+  }
+
+  public function read($sessionId) {
+    $data = db_query("SELECT s.* FROM {sessions} s WHERE s.sid = :sid", array(':sid' => $sessionId))->fetchObject();
+    return !empty($data) ? $data->session : '';
+  }
+
+  public function write($sessionId, $data) {
+    try {
+      db_merge('sessions')
+        ->key(array(
+          'sid' => $sessionId,
+        ))
+        ->fields(array(
+          'session' => $data,
+          'timestamp' => time(),
+        ))
+        ->execute();
+    }
+    catch (\PDOException $e) {
+      throw new \RuntimeException(sprintf('PDOException was thrown when trying to write session data: %s', $e->getMessage()), 0, $e);
+    }
+
+    return TRUE;
+  }
+}
diff --git a/core/lib/Drupal/Core/Session/Proxy/CookieOverrideProxy.php b/core/lib/Drupal/Core/Session/Proxy/CookieOverrideProxy.php
new file mode 100644
index 0000000..f572420
--- /dev/null
+++ b/core/lib/Drupal/Core/Session/Proxy/CookieOverrideProxy.php
@@ -0,0 +1,140 @@
+<?php
+
+namespace Drupal\Core\Session\Proxy;
+
+use Symfony\Component\HttpFoundation\Session\Storage\Proxy\SessionHandlerProxy;
+
+// @todo Replace this at the correct place.
+// If a session cookie exists, initialize the session. Otherwise the
+// session is only started on demand in drupal_session_commit(), making
+// anonymous users not use a session cookie unless something is stored in
+// $_SESSION. This allows HTTP proxies to cache anonymous pageviews.
+
+/**
+ * Custom SessionHandlerProxy implementation that allows us to handle the HTTP
+ * and HTTPS session cookies manually, and enfore strong security measures for
+ * the session handling.
+ */
+class CookieOverrideProxy extends SessionHandlerProxy {
+
+  /**
+   * Defautl Constructor.
+   *
+   * @param \SessionHandlerInterface $handler
+   */
+  public function __construct(\SessionHandlerInterface $handler) {
+    parent::__construct($handler);
+
+    if ($id = $this->getIdFromCookie()) {
+      $this->setId($id);
+    }
+    else {
+      // Set a session identifier for this request. This is necessary because we
+      // lazily start sessions at the end of this request, and some processes
+      // (like drupal_get_token()) needs to know the future session ID i
+      // advance.
+      $GLOBALS['lazy_session'] = TRUE;
+
+      // Less random sessions (which are much faster to generate) are used for
+      // anonymous users than are generated in drupal_session_regenerate() when
+      // a user becomes authenticated.
+      $this->regenerateId();
+
+      /*
+       * @todo Restore HTTPS cookie
+      if ($is_https && variable_get('https', FALSE)) {
+        $insecure_session_name = substr(session_name(), 1);
+        $session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE));
+        $_COOKIE[$insecure_session_name] = $session_id;
+      }
+       */
+    }
+  }
+
+  /**
+   * Get current session identifier from cookie, if any.
+   *
+   * @return string
+   *   Session identifier or NULL if none found.
+   */
+  protected function getIdFromCookie() {
+    $name = $this->getName();
+    if (!empty($_COOKIE[$name])) {
+      // @todo Restore HTTPS cookie
+      //|| ($GLOBALS['is_https'] && variable_get('https', FALSE) && !empty($_COOKIE[substr(session_name(), 1)]))) {
+      return $_COOKIE[$name];
+    }
+  } 
+
+  protected function destroyCookies() {
+    $params = session_get_cookie_params();
+    // @todo Restore HTTPS cookie
+    setcookie($this->getName(), '', time() - 3600, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
+  }
+
+  protected function sendCookies($id) {
+    $params = session_get_cookie_params();
+    $expire = $params['lifetime'] ? time() + $params['lifetime'] : 0;
+    // @todo Restore HTTPS cookie
+    setcookie($this->getName(), $id, $expire, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
+  }
+
+  public function write($id, $data) {
+
+    if (!$this->active) {
+      return FALSE;
+    }
+
+    // Cookie sending must be when we are sure we need to keep the session, this
+    // ensure the lazy session init. Lazy session init is abusive talking we are
+    // not lazy initializing the session, but lazy sending the session cookie
+    // instead. Each anonymous user will intrinsecly have a session tied, which
+    // allows to generate tokens for forms and such, but if the session ends up
+    // empty, the cookies will not be sent and the session will not be saved on
+    // disk.
+    $this->sendCookies($id);
+
+    return (bool) $this->handler->write($id, $data);
+  }
+
+  public function destroy($id) {
+    $this->destroyCookies($id);
+
+    return (bool) $this->handler->destroy($id);
+  }
+
+  /**
+   * Generate new session identifier.
+   *
+   * The the session_regenerate_id() is hardcoded into Symfony's
+   * NativeSessionStorage implementation while all other session_*() functions
+   * are used as setters only in the AbstractProxy implementation. This feels
+   * wrong and we need to override it without doing invasive changes.
+   *
+   * @todo Propose a nice PR to Symfony guys so they move this specific call
+   * into the SessionHandlerProxy so we wouldn't have to override the
+   * NativeSessionStorage at all.
+   *
+   * @see Drupal\Core\Session\Proxy\Storage\DrupalSessionStorage::regenerate()
+   *
+   * @param bool $destroy
+   *   (optional) If set to TRUE, destroy the old session.
+   *
+   * @return string
+   *   New session identifier.
+   */
+  public function regenerateId($destroy = FALSE) {
+    $id = drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55));
+
+    // Do not call parent::setId() here, else it will throw exceptions because
+    // during session identifier regeneration, this component is considered as
+    // active.
+    session_id($id);
+
+    if ($destroy) {
+      $this->destroyCookies();
+    }
+
+    return TRUE;
+  }
+}
diff --git a/core/lib/Drupal/Core/Session/Session.php b/core/lib/Drupal/Core/Session/Session.php
new file mode 100644
index 0000000..e6eb8f4
--- /dev/null
+++ b/core/lib/Drupal/Core/Session/Session.php
@@ -0,0 +1,98 @@
+<?php
+
+namespace Drupal\Core\Session;
+
+use Symfony\Component\HttpFoundation\Session\Session as BaseSession;
+use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
+
+/**
+ * This SessionInterface implementation add the SessionTokenProviderInterface
+ * support for delegating session token management to a specific injectable
+ * implementation. 
+ *
+ * Even though the SessionInterface is fairly easy to implement we have to
+ * override it because the Symfony native one makes extensive calls to the
+ * SessionStorageInterface::getBag() method will ensure the session auto start
+ * to work as expected.
+ */
+class Session extends BaseSession {
+
+  public function start() {
+    $this->isStarted = TRUE;
+    return $this->storage->start();
+  }
+
+  /**
+   * Enable session save, at commit time session will be saved by the session
+   * handler and session token will be sent.
+   */
+  public function enableSave() {
+
+    if (!$this->storage instanceof NativeSessionStorage) {
+      throw new \LogicException("Cannot enable or disable storage when not using a NativeSessionStorage implementation");
+    }
+
+    $this->storage->getSaveHandler()->setActive(TRUE);
+  }
+
+  /**
+   * Disable session save, at commit time session save will be skiped and
+   * session token will not be sent to client.
+   *
+   * This function allows the caller to temporarily disable writing of
+   * session data, should the request end while performing potentially
+   * dangerous operations, such as manipulating the global $user object.
+   * See http://drupal.org/node/218104 for usage.
+   */
+  public function disableSave() {
+
+    if (!$this->storage instanceof NativeSessionStorage) {
+      throw new \LogicException("Cannot enable or disable storage when not using a NativeSessionStorage implementation");
+    }
+
+    $this->storage->getSaveHandler()->setActive(FALSE);
+  }
+
+  /**
+   * Is the session save enabled.
+   *
+   * @return bool
+   */
+  public function isSaveEnabled() {
+
+    if (!$this->storage instanceof NativeSessionStorage) {
+      // Cannot disable explicitely session write when not using a session
+      // storage that does not explicitely rely on a session handler. Case in
+      // which we can safely assume write is always enabled.
+      return TRUE;
+    }
+
+    return $this->storage->getSaveHandler()->isActive();
+  }
+
+  /**
+   * Does this session is empty.
+   *
+   * @todo This is the most absurd implementation that could ever been written
+   * but there is no clean solution because bags can not be directly accessed
+   * via protected attributes, and they don't have either a count() or isEmpty()
+   * method.
+   *
+   * @return bool
+   *   TRUE if session is empty.
+   */
+  public function isEmpty() {
+    return !count($this->getFlashBag()->all()) && !count($this->all());
+  }
+
+  public function save() {
+    // Session saving is checked upper, but avoid accidental save() trigger in
+    // case save is disabled.
+    // @todo May be should throw a \LogicException here?
+    if (!$this->isSaveEnabled()) {
+      return;
+    }
+
+    parent::save();
+  }
+}
diff --git a/core/lib/Drupal/Core/Session/Storage/DrupalSessionStorage.php b/core/lib/Drupal/Core/Session/Storage/DrupalSessionStorage.php
new file mode 100644
index 0000000..c223dbc
--- /dev/null
+++ b/core/lib/Drupal/Core/Session/Storage/DrupalSessionStorage.php
@@ -0,0 +1,68 @@
+<?php
+
+namespace Drupal\Core\Session\Storage;
+
+use Drupal\Core\Session\Proxy\CookieOverrideProxy;
+
+use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
+
+/**
+ * Default session storage. This is a proxy class between the $_SESSION super
+ * global and the Session object bags. There is no way on earth we would want
+ * to write our own implementation, this one only exists in order to override
+ * some harcoded PHP ini by the Symfony implementation that may disturb our
+ * SessionTokenProviderInterface feature.
+ *
+ * In opposition to Symfony 2.0, this proxy implementation will allow us to use
+ * the $_SESSION array without worrying about loosing data, all we need to do is
+ * to check that our own code hits $_SESSION keys that are synchronized to this
+ * object's bags.
+ */
+class DrupalSessionStorage extends NativeSessionStorage {
+
+  public function __construct(array $options = array(), $handler = null, MetadataBag $metaBag = null) {
+    // Set PHP defaults to fit with our session usage.
+    ini_set('session.auto_start', 1);
+    ini_set('session.use_cookies', 0);
+
+    // In the parent class, the session_register_shutdown() is called. Because
+    // PHP native session will run the close handler in the PHP shutdown hooks,
+    // most Drupal systems our handler relies on will be destructed before this
+    // call. This is the main reason why we need to extends Symfony's component
+    // in order to avoid the native shutdown to run.
+    $this->setMetadataBag($metaBag);
+    $this->setOptions($options);
+    $this->setSaveHandler($handler);
+  }
+
+  public function clear() {
+    parent::clear();
+
+    // Clearing the session is a signal sent when session is invalidated, this
+    // means we can mark the session handler as inactive so it won't attempt
+    // any empty session write. Our session handler will send session cookie at
+    // write time. This allows lazy cookie sending to the client.
+    $this->saveHandler->setActive(FALSE);
+  }
+
+  public function regenerate($destroy = FALSE, $lifetime = NULL) {
+
+    if (null !== $lifetime) {
+      ini_set('session.cookie_lifetime', $lifetime);
+    }
+
+    if ($destroy) {
+      $this->metadataBag->stampNew();
+    }
+
+    // If the current save handler is our own we must rely its own session
+    // identifier generation method. I hope Symfony will move this call to
+    // this object so we can get rid of this method override.
+    if ($this->saveHandler instanceof CookieOverrideProxy) {
+      return $this->saveHandler->regenerateId($destroy);
+    }
+    else {
+      return session_regenerate_id($destroy);
+    }
+  }
+}
diff --git a/core/modules/system/system.install b/core/modules/system/system.install
index 3790f2b..8822219 100644
--- a/core/modules/system/system.install
+++ b/core/modules/system/system.install
@@ -1272,32 +1272,12 @@ function system_schema() {
   $schema['sessions'] = array(
     'description' => "Drupal's session handlers read and write into the sessions table. Each record represents a user session, either anonymous or authenticated.",
     'fields' => array(
-      'uid' => array(
-        'description' => 'The {users}.uid corresponding to a session, or 0 for anonymous user.',
-        'type' => 'int',
-        'unsigned' => TRUE,
-        'not null' => TRUE,
-      ),
       'sid' => array(
         'description' => "A session ID. The value is generated by Drupal's session handlers.",
         'type' => 'varchar',
         'length' => 128,
         'not null' => TRUE,
       ),
-      'ssid' => array(
-        'description' => "Secure session ID. The value is generated by Drupal's session handlers.",
-        'type' => 'varchar',
-        'length' => 128,
-        'not null' => TRUE,
-        'default' => '',
-      ),
-      'hostname' => array(
-        'description' => 'The IP address that last used this session ID (sid).',
-        'type' => 'varchar',
-        'length' => 128,
-        'not null' => TRUE,
-        'default' => '',
-      ),
       'timestamp' => array(
         'description' => 'The Unix timestamp when this session last requested a page. Old records are purged by PHP automatically.',
         'type' => 'int',
@@ -1311,20 +1291,9 @@ function system_schema() {
         'size' => 'big',
       ),
     ),
-    'primary key' => array(
-      'sid',
-      'ssid',
-    ),
+    'primary key' => array('sid'),
     'indexes' => array(
       'timestamp' => array('timestamp'),
-      'uid' => array('uid'),
-      'ssid' => array('ssid'),
-    ),
-    'foreign keys' => array(
-      'session_user' => array(
-        'table' => 'users',
-        'columns' => array('uid' => 'uid'),
-      ),
     ),
   );
 
@@ -1976,6 +1945,23 @@ function system_update_8021() {
 }
 
 /**
+ * Make changes on the {sessions} table accordingly to new Symfony session
+ * handling usage.
+ *
+ * @todo This will fail, always. The only way we can ensure update will work
+ * seamlessly is by defaulting the {sessions}.uid column to 0 in Drupal 7, thus
+ * ensuring the new database storage handler will ignore this field when doing
+ * the session db_merge().
+ *
+ * @see http://drupal.org/node/335411
+ */
+function system_update_8022() {
+  db_drop_field('sessions', 'uid');
+  db_drop_field('sessions', 'hostname');
+  db_drop_field('sessions', 'ssid');
+}
+
+/**
  * @} End of "defgroup updates-7.x-to-8.x".
  * The next series of updates should start at 9000.
  */
diff --git a/core/modules/user/lib/Drupal/user/UserStorageController.php b/core/modules/user/lib/Drupal/user/UserStorageController.php
index 2660300..8868000 100644
--- a/core/modules/user/lib/Drupal/user/UserStorageController.php
+++ b/core/modules/user/lib/Drupal/user/UserStorageController.php
@@ -166,9 +166,9 @@ class UserStorageController extends DatabaseStorageController {
       // If the password has been changed, delete all open sessions for the
       // user and recreate the current one.
       if ($entity->pass != $entity->original->pass) {
-        drupal_session_destroy_uid($entity->uid);
+        // FIXME: Destroy session by uid here
         if ($entity->uid == $GLOBALS['user']->uid) {
-          drupal_session_regenerate();
+          drupal_container()->get('session')->regenerate();
         }
       }
 
@@ -195,7 +195,7 @@ class UserStorageController extends DatabaseStorageController {
 
       // If the user was blocked, delete the user's sessions to force a logout.
       if ($entity->original->status != $entity->status && $entity->status == 0) {
-        drupal_session_destroy_uid($entity->uid);
+        // FIXME: Session destroy by uid here.
       }
 
       // Send emails after we have the new user object.
diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index 7fb6a37..2ff8f3f 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -302,7 +302,8 @@ function user_load_multiple(array $uids = NULL, $reset = FALSE) {
  * user. So to avoid confusion and to avoid clobbering the global $user object,
  * it is a good idea to assign the result of this function to a different local
  * variable, generally $account. If you actually do want to act as the user you
- * are loading, it is essential to call drupal_save_session(FALSE); first.
+ * are loading, it is essential to call
+ * \Drupal\Core\Session\Session::disableSave(); first.
  * See
  * @link http://drupal.org/node/218104 Safely impersonating another user @endlink
  * for more information.
@@ -1762,10 +1763,12 @@ function user_login_finalize(&$edit = array()) {
     ->condition('uid', $user->uid)
     ->execute();
 
+  $session = drupal_container()->get('session');
   // Regenerate the session ID to prevent against session fixation attacks.
   // This is called before hook_user in case one of those functions fails
   // or incorrectly does a redirect which would leave the old session in place.
-  drupal_session_regenerate();
+  $session->migrate();
+  $session->set('uid', $user->uid);
 
   user_module_invoke('login', $edit, $user);
 }
@@ -2010,6 +2013,7 @@ function user_delete($uid) {
  */
 function user_delete_multiple(array $uids) {
   entity_get_controller('user')->delete($uids);
+  // FIXME: Delete session by uid here.
 }
 
 /**
diff --git a/core/modules/user/user.pages.inc b/core/modules/user/user.pages.inc
index 9dd2cc9..4a53705 100644
--- a/core/modules/user/user.pages.inc
+++ b/core/modules/user/user.pages.inc
@@ -178,7 +178,8 @@ function user_logout() {
   module_invoke_all('user_logout', $user);
 
   // Destroy the current session, and reset $user to the anonymous user.
-  session_destroy();
+  $user = drupal_anonymous_user();
+  drupal_container()->get('session')->invalidate();
 
   drupal_goto();
 }