diff --git a/core/lib/Drupal/Core/EventSubscriber/ExceptionJsonSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/ExceptionJsonSubscriber.php
index 01f3620..34eda1f 100644
--- a/core/lib/Drupal/Core/EventSubscriber/ExceptionJsonSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/ExceptionJsonSubscriber.php
@@ -28,6 +28,17 @@ protected static function getPriority() {
   }
 
   /**
+   * Handles a 400 error for JSON.
+   *
+   * @param \Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent $event
+   *   The event to process.
+   */
+  public function on400(GetResponseForExceptionEvent $event) {
+    $response = new JsonResponse(array('message' => $event->getException()->getMessage()), Response::HTTP_BAD_REQUEST);
+    $event->setResponse($response);
+  }
+
+  /**
    * Handles a 403 error for JSON.
    *
    * @param \Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent $event
diff --git a/core/modules/rest/src/Plugin/ResourceBase.php b/core/modules/rest/src/Plugin/ResourceBase.php
index 33cb3aa..4e77eb9 100644
--- a/core/modules/rest/src/Plugin/ResourceBase.php
+++ b/core/modules/rest/src/Plugin/ResourceBase.php
@@ -64,7 +64,7 @@ public static function create(ContainerInterface $container, array $configuratio
       $plugin_id,
       $plugin_definition,
       $container->getParameter('serializer.formats'),
-      $container->get('logger.factory')->get('rest')
+      $container->get('logger.channel.rest')
     );
   }
 
diff --git a/core/modules/rest/src/Tests/ResourceTest.php b/core/modules/rest/src/Tests/ResourceTest.php
index df99cc6..0919205 100644
--- a/core/modules/rest/src/Tests/ResourceTest.php
+++ b/core/modules/rest/src/Tests/ResourceTest.php
@@ -112,8 +112,10 @@ public function testUriPaths() {
     $manager = \Drupal::service('plugin.manager.rest');
 
     foreach ($manager->getDefinitions() as $resource => $definition) {
-      foreach ($definition['uri_paths'] as $key => $uri_path) {
-        $this->assertFalse(strpos($uri_path, '//'), 'The resource URI path does not have duplicate slashes.');
+      if (isset($definition['uri_paths'])) {
+        foreach ($definition['uri_paths'] as $key => $uri_path) {
+          $this->assertFalse(strpos($uri_path, '//'), 'The resource URI path does not have duplicate slashes.');
+        }
       }
     }
   }
diff --git a/core/modules/user/src/Controller/UserLoginController.php b/core/modules/user/src/Controller/UserLoginController.php
new file mode 100644
index 0000000..f25b07e
--- /dev/null
+++ b/core/modules/user/src/Controller/UserLoginController.php
@@ -0,0 +1,224 @@
+<?php
+
+namespace Drupal\user\Controller;
+
+use Drupal\Core\Access\CsrfTokenGenerator;
+use Drupal\Core\Controller\ControllerBase;
+use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
+use Drupal\Core\Flood\FloodInterface;
+use Drupal\user\UserAuthInterface;
+use Drupal\user\UserInterface;
+use Drupal\user\UserStorageInterface;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Provides controllers for login, login status and logout.
+ */
+class UserLoginController extends ControllerBase implements ContainerInjectionInterface {
+
+  /**
+   * String sent in responses, to describe the user as being logged in.
+   *
+   * @var string
+   */
+  const LOGGED_IN = 1;
+
+  /**
+   * String sent in responses, to describe the user as being logged out.
+   *
+   * @var string
+   */
+  const LOGGED_OUT = 0;
+
+  /**
+   * The flood controller.
+   *
+   * @var \Drupal\Core\Flood\FloodInterface
+   */
+  protected $flood;
+
+  /**
+   * The user storage.
+   *
+   * @var \Drupal\user\UserStorageInterface
+   */
+  protected $userStorage;
+
+  /**
+   * The CSRF token generator.
+   *
+   * @var \Drupal\Core\Access\CsrfTokenGenerator
+   */
+  protected $csrfToken;
+
+  /**
+   * The user authentication.
+   *
+   * @var \Drupal\user\UserAuthInterface
+   */
+  protected $userAuth;
+
+  /**
+   * Constructs a new UserLoginResource object.
+   *
+   * @param \Drupal\Core\Flood\FloodInterface $flood
+   *   The flood controller.
+   * @param \Drupal\user\UserStorageInterface $user_storage
+   *   The user storage.
+   * @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token
+   *   The CSRF token generator.
+   * @param \Drupal\user\UserAuthInterface $user_auth
+   *   The user authentication.
+   */
+  public function __construct(FloodInterface $flood, UserStorageInterface $user_storage, CsrfTokenGenerator $csrf_token, UserAuthInterface $user_auth) {
+    $this->flood = $flood;
+    $this->userStorage = $user_storage;
+    $this->csrfToken = $csrf_token;
+    $this->userAuth = $user_auth;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function create(ContainerInterface $container) {
+    return new static(
+      $container->get('flood'),
+      $container->get('entity_type.manager')->getStorage('user'),
+      $container->get('csrf_token'),
+      $container->get('user.auth')
+    );
+  }
+
+  /**
+   * Controller to login a user.
+   *
+   * @param \Symfony\Component\HttpFoundation\Request $request
+   *   The request.
+   *
+   * @return \Symfony\Component\HttpFoundation\Response
+   *   Returns a response which contains the ID and CSRF token.
+   */
+  public function login(Request $request) {
+    $credentials = json_decode($request->getContent(), TRUE);
+    if (!isset($credentials['name']) && !isset($credentials['pass'])) {
+      throw new BadRequestHttpException('Missing credentials.');
+    }
+
+    if (!isset($credentials['name'])) {
+      throw new BadRequestHttpException('Missing credentials.name.');
+    }
+    if (!isset($credentials['pass'])) {
+      throw new BadRequestHttpException('Missing credentials.pass.');
+    }
+
+    if (!$this->isFloodBlocked()) {
+      throw new BadRequestHttpException('Blocked.');
+    }
+
+    if ($this->userIsBlocked($credentials['name'])) {
+      throw new BadRequestHttpException('The user has not been activated or is blocked.');
+    }
+
+    if ($uid = $this->userAuth->authenticate($credentials['name'], $credentials['pass'])) {
+      /** @var \Drupal\user\UserInterface $user */
+      $user = $this->userStorage->load($uid);
+      $this->userLoginFinalize($user);
+
+      // Send basic metadata about the logged in user.
+      $response_data = [];
+      if ($user->get('uid')->access('view')) {
+        $response_data['current_user']['uid'] = $user->id();
+      }
+      if ($user->get('roles')->access('view')) {
+        $response_data['current_user']['roles'] = $user->getRoles();
+      }
+      if ($user->get('name')->access('view')) {
+        $response_data['current_user']['name'] = $user->getAccountName();
+      }
+      $response_data['csrf_token'] = $this->csrfToken->get('rest');
+
+      $response = new JsonResponse($response_data);
+      return $response;
+    }
+
+    $this->flood->register('rest.login_cookie', $this->configFactory->get('user.flood')->get('user_window'));
+    throw new BadRequestHttpException('Sorry, unrecognized username or password.');
+  }
+
+  /**
+   * Verifies if the user is blocked.
+   *
+   * @param string $name
+   *   The username.
+   *
+   * @return bool
+   *   Returns TRUE if the user is blocked, otherwise FALSE.
+   */
+  protected function userIsBlocked($name) {
+    return user_is_blocked($name);
+  }
+
+  /**
+   * Finalizes the user login.
+   *
+   * @param \Drupal\user\UserInterface $user
+   *   The user.
+   */
+  protected function userLoginFinalize(UserInterface $user) {
+    user_login_finalize($user);
+  }
+
+  /**
+   * Checks for flooding.
+   *
+   * @return bool
+   *   TRUE if the user is allowed to proceed, FALSE otherwise.
+   */
+  protected function isFloodBlocked() {
+    $config = $this->config('user.flood');
+    $limit = $config->get('user_limit');
+    $interval = $config->get('user_window');
+
+    return $this->flood->isAllowed('rest.login_cookie', $limit, $interval);
+  }
+
+
+  /**
+   * Controller to logout a user.
+   *
+   * @return \Drupal\rest\ResourceResponse
+   */
+  public function logout() {
+    $this->userLogout();
+    return new Response(NULL, 204);
+  }
+
+  /**
+   * Logs the user out.
+   */
+  protected function userLogout() {
+    user_logout();
+  }
+
+  /**
+   * Controller to show whether a user is logged in or not.
+   *
+   * @return \Symfony\Component\HttpFoundation\Response
+   *   The response.
+   */
+  public function loginStatus() {
+    if ($this->currentUser()->isAuthenticated()) {
+      $response = new Response(self::LOGGED_IN);
+    }
+    else {
+      $response = new Response(self::LOGGED_OUT);
+    }
+    $response->headers->set('Content-Type', 'text/plain');
+    return $response;
+  }
+
+}
diff --git a/core/modules/user/tests/src/Functional/UserLoginHttpTest.php b/core/modules/user/tests/src/Functional/UserLoginHttpTest.php
new file mode 100644
index 0000000..a7335be
--- /dev/null
+++ b/core/modules/user/tests/src/Functional/UserLoginHttpTest.php
@@ -0,0 +1,166 @@
+<?php
+
+namespace Drupal\Tests\user\Functional;
+
+use Drupal\Core\Url;
+use Drupal\Tests\BrowserTestBase;
+use Drupal\user\Controller\UserLoginController;
+use GuzzleHttp\Cookie\CookieJar;
+
+/**
+ * Tests login via direct HTTP.
+ *
+ * @group user
+ */
+class UserLoginHttpTest extends BrowserTestBase {
+
+  /**
+   * @var \GuzzleHttp\Cookie\CookieJar
+   */
+  protected $cookies;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+
+    $this->cookies = new CookieJar();
+  }
+
+  /**
+   * Executes a login HTTP request.
+   *
+   * @param string $name
+   *   The username.
+   * @param $pass
+   *   The user password.
+   *
+   * @return \Psr\Http\Message\ResponseInterface
+   *   The HTTP response.
+   */
+  protected function loginRequest($name, $pass) {
+    $user_login_url = Url::fromRoute('user.login.json')
+      ->setRouteParameter('_format', 'json')
+      ->setAbsolute();
+
+    $request_body = [];
+    if (isset($name)) {
+      $request_body['name'] = $name;
+    }
+    if (isset($pass)) {
+      $request_body['pass'] = $pass;
+    }
+    $result = \Drupal::httpClient()->post($user_login_url->toString(), [
+      'body' => json_encode($request_body),
+      'headers' => [
+        'Accept' => 'application/json',
+      ],
+      'http_errors' => FALSE,
+      'cookies' => $this->cookies,
+    ]);
+    return $result;
+  }
+
+  /**
+   * Test user session life cycle.
+   */
+  public function testLogin() {
+    $account = $this->drupalCreateUser();
+    $name = $account->getUsername();
+    $pass = $account->passRaw;
+
+    $client = \Drupal::httpClient();
+
+    $user_login_status_url = Url::fromRoute('user.login_status.json');
+    $user_login_status_url->setRouteParameter('_format', 'json');
+    $user_login_status_url->setAbsolute();
+
+    $result = $client->post($user_login_status_url->toString());
+    $this->assertEquals(200, $result->getStatusCode());
+    $this->assertEquals(UserLoginController::LOGGED_OUT, (string) $result->getBody());
+
+    // Flooded.
+    \Drupal::configFactory()->getEditable('user.flood')
+      ->set('user_limit', 3)
+      ->save();
+
+    $result = $this->loginRequest($name, 'wrong-pass');
+    $this->assertEquals(400, $result->getStatusCode());
+    $this->assertEquals('{"message":"Sorry, unrecognized username or password."}', (string) $result->getBody());
+
+    $result = $this->loginRequest($name, 'wrong-pass');
+    $this->assertEquals(400, $result->getStatusCode());
+    $this->assertEquals('{"message":"Sorry, unrecognized username or password."}', (string) $result->getBody());
+
+    $result = $this->loginRequest($name, 'wrong-pass');
+    $this->assertEquals(400, $result->getStatusCode());
+    $this->assertEquals('{"message":"Sorry, unrecognized username or password."}', (string) $result->getBody());
+
+    $result = $this->loginRequest($name, 'wrong-pass');
+    $this->assertEquals(400, $result->getStatusCode());
+    $this->assertEquals('{"message":"Blocked."}', (string) $result->getBody());
+
+    // After testing the flood control we can increase the limit.
+    \Drupal::configFactory()->getEditable('user.flood')
+      ->set('user_limit', 100)
+      ->save();
+
+    $result = $this->loginRequest(NULL, NULL);
+    $this->assertEquals(400, $result->getStatusCode());
+    $this->assertEquals('{"message":"Missing credentials."}', (string) $result->getBody());
+
+    $result = $this->loginRequest(NULL, $pass);
+    $this->assertEquals(400, $result->getStatusCode());
+    $this->assertEquals('{"message":"Missing credentials.name."}', (string) $result->getBody());
+
+    $result = $this->loginRequest($name, NULL);
+    $this->assertEquals(400, $result->getStatusCode());
+    $this->assertEquals('{"message":"Missing credentials.pass."}', (string) $result->getBody());
+
+    // Blocked.
+    $account
+      ->block()
+      ->save();
+
+    $result = $this->loginRequest($name, $pass);
+    $this->assertEquals(400, $result->getStatusCode());
+    $this->assertEquals('{"message":"The user has not been activated or is blocked."}', (string) $result->getBody());
+
+    $account
+      ->activate()
+      ->save();
+
+    $result = $this->loginRequest($name, 'garbage');
+    $this->assertEquals(400, $result->getStatusCode());
+    $this->assertEquals('{"message":"Sorry, unrecognized username or password."}', (string) $result->getBody());
+
+    $result = $this->loginRequest('garbage', $pass);
+    $this->assertEquals(400, $result->getStatusCode());
+    $this->assertEquals('{"message":"Sorry, unrecognized username or password."}', (string) $result->getBody());
+
+    $result = $this->loginRequest($name, $pass);
+    $this->assertEquals(200, $result->getStatusCode());
+    $result_data = json_decode((string) $result->getBody(), TRUE);
+    $this->assertEquals($name, $result_data['current_user']['name']);
+
+    $result = $client->post($user_login_status_url->toString(), ['cookies' => $this->cookies]);
+    $this->assertEquals(200, $result->getStatusCode());
+    $this->assertEquals(UserLoginController::LOGGED_IN, (string) $result->getBody());
+
+    $user_logout_url = Url::fromRoute('user.logout.json')->setRouteParameter('_format', 'json')->setAbsolute();
+    $result = $client->post($user_logout_url->toString(), [
+      'headers' => [
+        'Accept' => 'application/json',
+      ],
+      'http_errors' => FALSE,
+      'cookies' => $this->cookies,
+    ]);
+    $this->assertEquals(204, $result->getStatusCode());
+
+    $result = $client->post($user_login_status_url->toString(), ['cookies' => $this->cookies]);
+    $this->assertEquals(200, $result->getStatusCode());
+    $this->assertEquals(UserLoginController::LOGGED_OUT, (string) $result->getBody());
+  }
+
+}
diff --git a/core/modules/user/user.routing.yml b/core/modules/user/user.routing.yml
index 6eea7ec..bebe35e 100644
--- a/core/modules/user/user.routing.yml
+++ b/core/modules/user/user.routing.yml
@@ -129,6 +129,32 @@ user.login:
   options:
     _maintenance_access: TRUE
 
+user.login.json:
+  path: '/user/login'
+  defaults:
+    _controller: \Drupal\user\Controller\UserLoginController::login
+  methods: [POST]
+  requirements:
+    _user_is_logged_in: 'FALSE'
+    _format: 'json'
+
+user.login_status.json:
+  path: '/user/login/status'
+  defaults:
+    _controller: \Drupal\user\Controller\UserLoginController::loginStatus
+  methods: [POST]
+  requirements:
+    _access: 'TRUE'
+
+user.logout.json:
+  path: '/user/logout'
+  defaults:
+    _controller: \Drupal\user\Controller\UserLoginController::logout
+  methods: [POST]
+  requirements:
+    _format: 'json'
+    _user_is_logged_in: 'TRUE'
+
 user.cancel_confirm:
   path: '/user/{user}/cancel/confirm/{timestamp}/{hashed_pass}'
   defaults: