diff --git a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
index cb43c6572c..a3706c2534 100644
--- a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
+++ b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
@@ -60,7 +60,6 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
     private Class<? extends SecurityContext> securityContextClass = null;
     /** SecurityContext instance used to check for equality with default (unauthenticated) content */
     private Object contextObject = SecurityContextHolder.createEmptyContext();
-    private boolean cloneFromHttpSession = false;
     private boolean allowSessionCreation = true;
     private boolean disableUrlRewriting = false;
 
@@ -72,9 +71,6 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
      * If the session is null, the context object is null or the context object stored in the session
      * is not an instance of <tt>SecurityContext</tt>, a new context object will be generated and
      * returned.
-     * <p>
-     * If <tt>cloneFromHttpSession</tt> is set to true, it will attempt to clone the context object first
-     * and return the cloned instance.
      */
     public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) {
         HttpServletRequest request = requestResponseHolder.getRequest();
@@ -157,11 +153,6 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
             return null;
         }
 
-        // Clone if required (see SEC-356)
-        if (cloneFromHttpSession) {
-            contextFromSession = cloneContext(contextFromSession);
-        }
-
         if (debug) {
             logger.debug("Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: '" + contextFromSession + "'");
         }
@@ -171,28 +162,6 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
         return (SecurityContext) contextFromSession;
     }
 
-    /**
-     *
-     * @param context the object which was stored under the security context key in the HttpSession.
-     * @return the cloned SecurityContext object. Never null.
-     */
-    private Object cloneContext(Object context) {
-        Object clonedContext = null;
-        Assert.isInstanceOf(Cloneable.class, context,
-                "Context must implement Cloneable and provide a Object.clone() method");
-        try {
-            Method m = context.getClass().getMethod("clone", new Class[]{});
-            if (!m.isAccessible()) {
-                m.setAccessible(true);
-            }
-            clonedContext = m.invoke(context, new Object[]{});
-        } catch (Exception ex) {
-            ReflectionUtils.handleReflectionException(ex);
-        }
-
-        return clonedContext;
-    }
-
     /**
      * By default, calls {@link SecurityContextHolder#createEmptyContext()} to obtain a new context (there should be
      * no context present in the holder when this method is called). Using this approach the context creation