diff --git a/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs b/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs
index 5a0d63d95d..7ca9348595 100644
--- a/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs
+++ b/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs
@@ -141,12 +141,13 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
                 {
                     return AuthenticateResult.Fail("SessionId missing");
                 }
-                _sessionKey = claim.Value;
-                ticket = await Options.SessionStore.RetrieveAsync(_sessionKey);
+                // Only store _sessionKey if it matches an existing session. Otherwise we'll create a new one.
+                ticket = await Options.SessionStore.RetrieveAsync(claim.Value);
                 if (ticket == null)
                 {
                     return AuthenticateResult.Fail("Identity missing in session store");
                 }
+                _sessionKey = claim.Value;
             }
 
             var currentUtc = Clock.UtcNow;
@@ -304,9 +305,14 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
             {
                 if (_sessionKey != null)
                 {
-                    await Options.SessionStore.RemoveAsync(_sessionKey);
+                    // Renew the ticket in cases of multiple requests see: https://github.com/dotnet/aspnetcore/issues/22135
+                    await Options.SessionStore.RenewAsync(_sessionKey, ticket);
                 }
-                _sessionKey = await Options.SessionStore.StoreAsync(ticket);
+                else
+                {
+                    _sessionKey = await Options.SessionStore.StoreAsync(ticket);
+                }
+
                 var principal = new ClaimsPrincipal(
                     new ClaimsIdentity(
                         new[] { new Claim(SessionIdClaim, _sessionKey, ClaimValueTypes.String, Options.ClaimsIssuer) },