diff --git a/core/modules/system/src/PathBasedBreadcrumbBuilder.php b/core/modules/system/src/PathBasedBreadcrumbBuilder.php
index 1075ee7..ccb9f56 100644
--- a/core/modules/system/src/PathBasedBreadcrumbBuilder.php
+++ b/core/modules/system/src/PathBasedBreadcrumbBuilder.php
@@ -121,7 +121,6 @@ public function applies(RouteMatchInterface $route_match) {
    */
   public function build(RouteMatchInterface $route_match) {
     $links = array();
-
     // General path-based breadcrumbs. Use the actual request path, prior to
     // resolving path aliases, so the breadcrumb can be defined by simply
     // creating a hierarchy of path aliases.
diff --git a/core/modules/user/src/Controller/UserController.php b/core/modules/user/src/Controller/UserController.php
index be1b03d..b4e0563 100644
--- a/core/modules/user/src/Controller/UserController.php
+++ b/core/modules/user/src/Controller/UserController.php
@@ -14,6 +14,7 @@
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Drupal\Core\Datetime\DateFormatter;
 use Drupal\user\UserStorageInterface;
+use Drupal\Component\Utility\Crypt;
 
 /**
  * Controller routines for user routes.
@@ -76,12 +77,25 @@ public static function create(ContainerInterface $container) {
   public function resetPass($uid, $timestamp, $hash) {
     $account = $this->currentUser();
     $config = $this->config('user.settings');
-    // When processing the one-time login link, we have to make sure that a user
-    // isn't already logged in.
+
     if ($account->isAuthenticated()) {
       // The current user is already logged in.
       if ($account->id() == $uid) {
-        drupal_set_message($this->t('You are logged in as %user. <a href="!user_edit">Change your password.</a>', array('%user' => $account->getUsername(), '!user_edit' => $this->url('entity.user.edit_form', array('user' => $account->id())))));
+        // Add a session token to the link to let the user change their password
+        // without having to enter their current password, since they may not
+        // know it.
+        $token = Crypt::randomBytesBase64(55);
+        $_SESSION['pass_reset_' . $account->id()] = $token;
+        drupal_set_message(t('You are logged in as %user. <a href="!user_edit">Change your password.</a>', array(
+          '%user' => $account->getUsername(),
+          '!user_edit' => $this->url(
+            'entity.user.edit_form',
+            array('user' => $account->id()),
+            array(
+              'query' => array('pass-reset-token' => $token),
+            )
+          )
+        )));
       }
       // A different user is already logged in on the computer.
       else {
diff --git a/core/modules/user/src/Form/UserPasswordForm.php b/core/modules/user/src/Form/UserPasswordForm.php
index f06ba29..ad61ca7 100644
--- a/core/modules/user/src/Form/UserPasswordForm.php
+++ b/core/modules/user/src/Form/UserPasswordForm.php
@@ -92,7 +92,7 @@ public function buildForm(array $form, FormStateInterface $form_state) {
       $form['name']['#value'] = $user->getEmail();
       $form['mail'] = array(
         '#prefix' => '<p>',
-        '#markup' =>  $this->t('Password reset instructions will be mailed to %email. You must log out to use the password reset link in the email.', array('%email' => $user->getEmail())),
+        '#markup' =>  $this->t('Password reset instructions will be mailed to %email.', array('%email' => $user->getEmail())),
         '#suffix' => '</p>',
       );
     }
diff --git a/core/modules/user/src/Tests/UserPasswordResetTest.php b/core/modules/user/src/Tests/UserPasswordResetTest.php
index 1d27865..c102184 100644
--- a/core/modules/user/src/Tests/UserPasswordResetTest.php
+++ b/core/modules/user/src/Tests/UserPasswordResetTest.php
@@ -72,7 +72,7 @@ function testUserPasswordReset() {
     $edit['name'] = $this->account->getUsername();
     $this->drupalPostForm(NULL, $edit, t('Email new password'));
 
-     // Verify that the user was sent an email.
+    // Verify that the user was sent an email.
     $this->assertMail('to', $this->account->getEmail(), 'Password email sent to user.');
     $subject = t('Replacement login information for @username at @site', array('@username' => $this->account->getUsername(), '@site' => \Drupal::config('system.site')->get('name')));
     $this->assertMail('subject', $subject, 'Password reset email subject is correct.');
@@ -140,6 +140,34 @@ public function getResetURL() {
     return $urls[0];
   }
 
+
+  /**
+   * Test user password reset while logged in.
+   */
+  public function testUserPasswordResetLoggedIn() {
+    // Log in.
+    $this->drupalLogin($this->account);
+
+    // Reset the password by username via the password reset page.
+    $this->drupalGet('user/password');
+    $this->drupalPostForm(NULL, NULL, t('Email new password'));
+
+    // Click the reset URL while logged and change our password.
+    $resetURL = $this->getResetURL();
+    $this->drupalGet($resetURL);
+    $this->clickLink(t('Change your password.'));
+
+    // Make sure we do not need to enter the current password if we go to the
+    // "reset password" link while logged in.
+    $this->assertNoRaw(t('Current password'));
+
+    // Change the password.
+    $password = user_password();
+    $edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password);
+    $this->drupalPostForm(NULL, $edit, t('Save'));
+    $this->assertText(t('The changes have been saved.'), 'Password changed.');
+  }
+
   /**
    * Prefill the text box on incorrect login via link to password reset page.
    */