diff --git a/core/modules/user/src/Controller/UserController.php b/core/modules/user/src/Controller/UserController.php
index be1b03d..40606ff 100644
--- a/core/modules/user/src/Controller/UserController.php
+++ b/core/modules/user/src/Controller/UserController.php
@@ -13,7 +13,9 @@
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Drupal\Core\Datetime\DateFormatter;
+use Drupal\Core\Url;
 use Drupal\user\UserStorageInterface;
+use Drupal\Component\Utility\Crypt;
 
 /**
  * Controller routines for user routes.
@@ -76,12 +78,25 @@ public static function create(ContainerInterface $container) {
   public function resetPass($uid, $timestamp, $hash) {
     $account = $this->currentUser();
     $config = $this->config('user.settings');
-    // When processing the one-time login link, we have to make sure that a user
-    // isn't already logged in.
+
     if ($account->isAuthenticated()) {
       // The current user is already logged in.
       if ($account->id() == $uid) {
-        drupal_set_message($this->t('You are logged in as %user. <a href="!user_edit">Change your password.</a>', array('%user' => $account->getUsername(), '!user_edit' => $this->url('entity.user.edit_form', array('user' => $account->id())))));
+        // Add a session token to the link to let the user change their password
+        // without having to enter their current password, since they may not
+        // know it.
+        $token = Crypt::randomBytesBase64(55);
+        $_SESSION['pass_reset_' . $account->id()] = $token;
+        drupal_set_message(t('You are logged in as %user. <a href="!user_edit">Change your password.</a>', array(
+          '%user' => $account->getUsername(),
+          '!user_edit' => \Drupal::url(
+            'entity.user.edit_form',
+            array('user' => $account->id()),
+            array(
+              'query' => array('pass-reset-token' => $token),
+            )
+          )
+        )));
       }
       // A different user is already logged in on the computer.
       else {
diff --git a/core/modules/user/src/Form/UserPasswordForm.php b/core/modules/user/src/Form/UserPasswordForm.php
index 378f8f3..dd99192 100644
--- a/core/modules/user/src/Form/UserPasswordForm.php
+++ b/core/modules/user/src/Form/UserPasswordForm.php
@@ -92,7 +92,7 @@ public function buildForm(array $form, FormStateInterface $form_state) {
       $form['name']['#value'] = $user->getEmail();
       $form['mail'] = array(
         '#prefix' => '<p>',
-        '#markup' =>  $this->t('Password reset instructions will be mailed to %email. You must log out to use the password reset link in the email.', array('%email' => $user->getEmail())),
+        '#markup' =>  $this->t('Password reset instructions will be mailed to %email.', array('%email' => $user->getEmail())),
         '#suffix' => '</p>',
       );
     }