diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index f6a30cb..c9a5620 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -1819,7 +1819,7 @@ function user_toolbar() {
     $links = array(
       'account' => array(
         'title' => t('View profile'),
-        'href' => 'user',
+        'route_name' => 'user.page',
         'html' => TRUE,
         'attributes' => array(
           'title' => t('User account'),
@@ -1827,7 +1827,8 @@ function user_toolbar() {
       ),
       'account_edit' => array(
         'title' => t('Edit profile'),
-        'href' => 'user/' . $user->id() . '/edit',
+        'route_name' => 'user.edit',
+        'route_parameters' => array('user' => $user->id()),
         'html' => TRUE,
         'attributes' => array(
           'title' => t('Edit user account'),
@@ -1835,7 +1836,7 @@ function user_toolbar() {
       ),
       'logout' => array(
         'title' => t('Log out'),
-        'href' => 'user/logout',
+        'route_name' => 'user.logout',
       ),
     );
   }
@@ -1843,7 +1844,7 @@ function user_toolbar() {
      $links = array(
       'login' => array(
         'title' => t('Log in'),
-        'href' => 'user',
+        'route_name' => 'user.login',
       ),
     );
   }
diff --git a/core/modules/user/user.pages.inc b/core/modules/user/user.pages.inc
index f9b5a91..c61ef7d 100644
--- a/core/modules/user/user.pages.inc
+++ b/core/modules/user/user.pages.inc
@@ -31,7 +31,7 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
       $reset_link_account = user_load($uid);
       if (!empty($reset_link_account)) {
         drupal_set_message(t('Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user. Please <a href="!logout">logout</a> and try using the link again.',
-          array('%other_user' => $user->getUsername(), '%resetting_user' => $reset_link_account->getUsername(), '!logout' => url('user/logout'))));
+          array('%other_user' => $user->getUsername(), '%resetting_user' => $reset_link_account->getUsername(), '!logout' => \Drupal::url('user.logout'))));
       } else {
         // Invalid one-time link specifies an unknown user.
         drupal_set_message(t('The one-time login link you clicked is invalid.'));
diff --git a/core/modules/user/user.routing.yml b/core/modules/user/user.routing.yml
index bbc2053..45cb4a0 100644
--- a/core/modules/user/user.routing.yml
+++ b/core/modules/user/user.routing.yml
@@ -12,6 +12,7 @@ user.logout:
     _controller: '\Drupal\user\Controller\UserController::logout'
   requirements:
     _user_is_logged_in: 'TRUE'
+    _csrf_token: 'TRUE'
 
 user.autocomplete:
   path: '/user/autocomplete'