diff --git a/core/src/test/java/org/apache/brooklyn/core/test/HttpService.java b/core/src/test/java/org/apache/brooklyn/core/test/HttpService.java
index 2cb53e8375..b2ff422f4e 100644
--- a/core/src/test/java/org/apache/brooklyn/core/test/HttpService.java
+++ b/core/src/test/java/org/apache/brooklyn/core/test/HttpService.java
@@ -28,7 +28,10 @@
 import java.net.InetAddress;
 import java.security.KeyStore;
 
-import org.eclipse.jetty.security.*;
+import org.eclipse.jetty.security.ConstraintMapping;
+import org.eclipse.jetty.security.ConstraintSecurityHandler;
+import org.eclipse.jetty.security.HashLoginService;
+import org.eclipse.jetty.security.SecurityHandler;
 import org.eclipse.jetty.security.authentication.BasicAuthenticator;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Server;
@@ -89,8 +92,11 @@ public HttpService(PortRange portRange, boolean httpsEnabled) {
      * Enables basic HTTP authentication on the server.
      */
     public HttpService basicAuthentication(String username, String password) {
-        final String userRole = "user";
-        Constraint constraint = new Constraint(Constraint.__BASIC_AUTH, userRole);
+        HashLoginService l = new HashLoginService();
+        l.putUser(username, Credential.getCredential(password), new String[]{"user"});
+        l.setName("test-realm");
+
+        Constraint constraint = new Constraint(Constraint.__BASIC_AUTH, "user");
         constraint.setAuthenticate(true);
 
         ConstraintMapping constraintMapping = new ConstraintMapping();
@@ -99,30 +105,15 @@ public HttpService basicAuthentication(String username, String password) {
 
         ConstraintSecurityHandler csh = new ConstraintSecurityHandler();
         csh.setAuthenticator(new BasicAuthenticator());
-        final String realmName = "test-realm";
-        csh.setRealmName(realmName);
+        csh.setRealmName("test-realm");
         csh.addConstraintMapping(constraintMapping);
-        csh.setLoginService(createLoginService(realmName, username, password, new String[]{userRole}));
+        csh.setLoginService(l);
 
         this.securityHandler = Optional.of(csh);
 
         return this;
     }
 
-    private LoginService createLoginService(
-            final String serviceName, final String username, final String password, final String[] roles) {
-        final HashLoginService loginService = new HashLoginService();
-        loginService.setName(serviceName);
-        loginService.setUserStore(createUserStore(username, password, roles));
-        return loginService;
-    }
-
-    private UserStore createUserStore(final String username, final String password, final String[] roles) {
-        final UserStore userStore = new UserStore();
-        userStore.addUser(username, Credential.getCredential(password), roles);
-        return userStore;
-    }
-
     public HttpService start() throws Exception {
         TestResourceUnavailableException.throwIfResourceUnavailable(getClass(), ROOT_WAR_PATH);
 
diff --git a/launcher/src/main/java/org/apache/brooklyn/launcher/WebAppContextProvider.java b/launcher/src/main/java/org/apache/brooklyn/launcher/WebAppContextProvider.java
index 236bf7590f..840e54146e 100644
--- a/launcher/src/main/java/org/apache/brooklyn/launcher/WebAppContextProvider.java
+++ b/launcher/src/main/java/org/apache/brooklyn/launcher/WebAppContextProvider.java
@@ -31,6 +31,7 @@
 import org.apache.brooklyn.util.exceptions.Exceptions;
 import org.apache.brooklyn.util.os.Os;
 import org.apache.brooklyn.util.text.Identifiers;
+import org.eclipse.jetty.server.SessionManager;
 import org.eclipse.jetty.webapp.WebAppContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -75,9 +76,7 @@ public WebAppContext get(ManagementContext managementContext, Map<String, Object
         // it might be better to make this brooklyn-only or base on the management-plane ID;
         // but i think it actually *is* per-server instance, since we don't cache sessions server-side,
         // so i think this is write. [Alex 2015-09]
-        final String sessionCookieProperty = "org.eclipse.jetty.servlet.SessionCookie";
-        final String cookieValue = "JSESSIONID_BROOKLYN" + Identifiers.makeRandomId(6);
-        context.setInitParameter(sessionCookieProperty, cookieValue);
+        context.setInitParameter(SessionManager.__SessionCookieProperty, SessionManager.__DefaultSessionCookie + "_" + "BROOKLYN" + Identifiers.makeRandomId(6));
         context.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
         context.setAttribute(BrooklynServiceAttributes.BROOKLYN_MANAGEMENT_CONTEXT, managementContext);
         for (Map.Entry<String, Object> attributeEntry : attributes.entrySet()) {
diff --git a/pom.xml b/pom.xml
index 26dfbb9bda..df69f6fecb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -165,7 +165,7 @@
         <karaf.version>4.2.1</karaf.version>
         <karaf.plugin.version>4.1.4</karaf.plugin.version><!-- held back for KARAF-5932 - fixed in 4.2.2 -->
         <felix.framework.version>5.6.10</felix.framework.version>
-        <jetty.version>9.4.11.v20180605</jetty.version>
+        <jetty.version>9.3.24.v20180605</jetty.version>
 
         <!-- Transitive dependencies, declared explicitly to avoid version mismatch -->
         <clojure.version>1.4.0</clojure.version>