diff --git a/core/lib/Drupal/Core/Session/SessionManager.php b/core/lib/Drupal/Core/Session/SessionManager.php
index 0fea500ce5..5e42186f71 100644
--- a/core/lib/Drupal/Core/Session/SessionManager.php
+++ b/core/lib/Drupal/Core/Session/SessionManager.php
@@ -216,6 +216,13 @@ public function regenerate($destroy = FALSE, $lifetime = NULL) {
       return;
     }
 
+    // The default behaviour in Drupal when regenerating a session is to destroy
+    // the existing session. This is inline with the @link https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change
+    // OWASP session management cheat sheet. @endlink
+    if (count(func_get_args())) {
+      $destroy = TRUE;
+    }
+
     $regenerated = parent::regenerate($destroy, $lifetime);
 
     if (!$regenerated && $destroy) {
diff --git a/core/misc/cspell/dictionary.txt b/core/misc/cspell/dictionary.txt
index 684dfa4ff9..c8d9694e86 100644
--- a/core/misc/cspell/dictionary.txt
+++ b/core/misc/cspell/dictionary.txt
@@ -1130,6 +1130,7 @@ overrider's
 overriders
 overridetest
 overwritable
+owasp
 pageable
 pagecache
 pagetop
diff --git a/core/modules/user/tests/src/Functional/UserCancelTest.php b/core/modules/user/tests/src/Functional/UserCancelTest.php
index 7b454f4302..9e4a18f6f5 100644
--- a/core/modules/user/tests/src/Functional/UserCancelTest.php
+++ b/core/modules/user/tests/src/Functional/UserCancelTest.php
@@ -476,6 +476,11 @@ public function testUserDelete() {
     $user_storage->resetCache([$account->id()]);
     $this->assertNull($user_storage->load($account->id()), 'User is not found in the database.');
 
+    // Confirm there's only one session in the database. The user will be logged
+    // out and their session migrated.
+    // @see _user_cancel_session_regenerate()
+    $this->assertSame(1, (int) \Drupal::database()->select('sessions', 's')->countQuery()->execute()->fetchField());
+
     // Confirm that user's content has been deleted.
     $node_storage->resetCache([$node->id()]);
     $this->assertNull($node_storage->load($node->id()), 'Node of the user has been deleted.');
diff --git a/core/modules/user/tests/src/Functional/UserEditTest.php b/core/modules/user/tests/src/Functional/UserEditTest.php
index 4cf8179e43..0054bc4374 100644
--- a/core/modules/user/tests/src/Functional/UserEditTest.php
+++ b/core/modules/user/tests/src/Functional/UserEditTest.php
@@ -79,6 +79,11 @@ public function testUserEdit() {
     $this->drupalPostForm("user/" . $user1->id() . "/edit", $edit, 'Save');
     $this->assertRaw(t("The changes have been saved."));
 
+    // Confirm there's only one session in the database as the existing session
+    // has been migrated when the password is changed.
+    // @see \Drupal\user\Entity\User::postSave()
+    $this->assertSame(1, (int) \Drupal::database()->select('sessions', 's')->countQuery()->execute()->fetchField());
+
     // Make sure the changed timestamp is updated.
     $this->assertEqual($user1->getChangedTime(), REQUEST_TIME, 'Changing a user sets "changed" timestamp.');