diff --git a/src/core/server/http/cookie_session_storage.ts b/src/core/server/http/cookie_session_storage.ts
index fd86b6a6da103..5934b66b8df5c 100644
--- a/src/core/server/http/cookie_session_storage.ts
+++ b/src/core/server/http/cookie_session_storage.ts
@@ -55,10 +55,10 @@ class ScopedCookieSessionStorage<T extends Record<string, any>> implements Sessi
   ) {}
   public async get(): Promise<T | null> {
     try {
-      const session = await this.server.auth.test('security-cookie', this.request);
+      const { credentials: session } = await this.server.auth.test('security-cookie', this.request);
       // A browser can send several cookies, if it's not an array, just return the session value
       if (!Array.isArray(session)) {
-        return (session as unknown) as T;
+        return session as T;
       }
 
       // If we have an array with one value, we're good also
@@ -101,16 +101,18 @@ export async function createCookieSessionStorageFactory<T>(
   await server.register({ plugin: hapiAuthCookie });
 
   server.auth.strategy('security-cookie', 'cookie', {
-    cookie: cookieOptions.name,
-    password: cookieOptions.encryptionKey,
+    cookie: {
+      name: cookieOptions.name,
+      password: cookieOptions.encryptionKey,
+      path: basePath,
+      clearInvalid: true,
+      isSecure: cookieOptions.isSecure,
+      isHttpOnly: true,
+      isSameSite: false,
+    },
     validateFunc: async (req: Request, session: T) => ({
       valid: await cookieOptions.validate(session),
     }),
-    isSecure: cookieOptions.isSecure,
-    path: basePath,
-    clearInvalid: true,
-    isHttpOnly: true,
-    isSameSite: false,
   });
 
   return {
diff --git a/src/core/server/http/cookie_sesson_storage.test.ts b/src/core/server/http/cookie_sesson_storage.test.ts
index 5cd2fbaa1ebe8..90961370e8e41 100644
--- a/src/core/server/http/cookie_sesson_storage.test.ts
+++ b/src/core/server/http/cookie_sesson_storage.test.ts
@@ -98,8 +98,8 @@ const cookieOptions = {
   encryptionKey: 'something_at_least_32_characters',
   validate: (session: Storage) => session.expires > Date.now(),
   isSecure: false,
-  path: '/',
 };
+const basePath = '/';
 
 describe('Cookie based SessionStorage', () => {
   describe('#set()', () => {
@@ -116,7 +116,8 @@ describe('Cookie based SessionStorage', () => {
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
         innerServer,
-        cookieOptions
+        cookieOptions,
+        basePath
       );
       await server.start();
 
@@ -154,7 +155,8 @@ describe('Cookie based SessionStorage', () => {
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
         innerServer,
-        cookieOptions
+        cookieOptions,
+        basePath
       );
       await server.start();
 
@@ -186,7 +188,8 @@ describe('Cookie based SessionStorage', () => {
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
         innerServer,
-        cookieOptions
+        cookieOptions,
+        basePath
       );
       await server.start();
 
@@ -218,7 +221,8 @@ describe('Cookie based SessionStorage', () => {
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
         innerServer,
-        cookieOptions
+        cookieOptions,
+        basePath
       );
       await server.start();
 
@@ -248,7 +252,7 @@ describe('Cookie based SessionStorage', () => {
         register: jest.fn(),
         auth: {
           strategy: jest.fn(),
-          test: jest.fn(() => ['foo', 'bar']),
+          test: jest.fn(() => ({ credentials: ['foo', 'bar'] })),
         },
       };
 
@@ -257,7 +261,8 @@ describe('Cookie based SessionStorage', () => {
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
         mockServer as any,
-        cookieOptions
+        cookieOptions,
+        basePath
       );
 
       expect(mockServer.register).toBeCalledTimes(1);
@@ -279,7 +284,7 @@ describe('Cookie based SessionStorage', () => {
         register: jest.fn(),
         auth: {
           strategy: jest.fn(),
-          test: jest.fn(() => ['foo']),
+          test: jest.fn(() => ({ credentials: ['foo'] })),
         },
       };
 
@@ -288,7 +293,8 @@ describe('Cookie based SessionStorage', () => {
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
         mockServer as any,
-        cookieOptions
+        cookieOptions,
+        basePath
       );
 
       expect(mockServer.register).toBeCalledTimes(1);
@@ -317,7 +323,8 @@ describe('Cookie based SessionStorage', () => {
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
         mockServer as any,
-        cookieOptions
+        cookieOptions,
+        basePath
       );
 
       expect(mockServer.register).toBeCalledTimes(1);
@@ -349,7 +356,8 @@ describe('Cookie based SessionStorage', () => {
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
         innerServer,
-        cookieOptions
+        cookieOptions,
+        basePath
       );
       await server.start();