diff --git a/core/modules/user/src/Controller/UserController.php b/core/modules/user/src/Controller/UserController.php
index be15fac..8838dc8 100644
--- a/core/modules/user/src/Controller/UserController.php
+++ b/core/modules/user/src/Controller/UserController.php
@@ -6,6 +6,7 @@
 use Drupal\Component\Utility\Xss;
 use Drupal\Core\Controller\ControllerBase;
 use Drupal\Core\Datetime\DateFormatterInterface;
+use Drupal\Core\Flood\FloodInterface;
 use Drupal\user\Form\UserPasswordResetForm;
 use Drupal\user\UserDataInterface;
 use Drupal\user\UserInterface;
@@ -49,6 +50,13 @@ class UserController extends ControllerBase {
   protected $logger;
 
   /**
+   * The flood service.
+   *
+   * @var \Drupal\Core\Flood\FloodInterface
+   */
+  protected $flood;
+
+  /**
    * Constructs a UserController object.
    *
    * @param \Drupal\Core\Datetime\DateFormatterInterface $date_formatter
@@ -65,6 +73,7 @@ public function __construct(DateFormatterInterface $date_formatter, UserStorageI
     $this->userStorage = $user_storage;
     $this->userData = $user_data;
     $this->logger = $logger;
+    $this->flood = \Drupal::flood();
   }
 
   /**
@@ -186,6 +195,8 @@ public function getResetPassForm(Request $request, $uid) {
   /**
    * Validates user, hash, and timestamp; logs the user in if correct.
    *
+   * @param \Symfony\Component\HttpFoundation\Request $request
+   *   The request.
    * @param int $uid
    *   User ID of the user requesting reset.
    * @param int $timestamp
@@ -201,7 +212,7 @@ public function getResetPassForm(Request $request, $uid) {
    * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
    *   If $uid is for a blocked user or invalid user ID.
    */
-  public function resetPassLogin($uid, $timestamp, $hash) {
+  public function resetPassLogin(Request $request, $uid, $timestamp, $hash) {
     // The current user is not logged in, so check the parameters.
     $current = REQUEST_TIME;
     /** @var \Drupal\user\UserInterface $user */
@@ -222,6 +233,21 @@ public function resetPassLogin($uid, $timestamp, $hash) {
       return $this->redirect('user.pass');
     }
     elseif ($user->isAuthenticated() && ($timestamp >= $user->getLastLoginTime()) && ($timestamp <= $current) && Crypt::hashEquals($hash, user_pass_rehash($user, $timestamp))) {
+      $flood_config = $this->config('user.flood');
+      if ($flood_config->get('uid_only')) {
+        // Register flood events based on the uid only, so they apply for any
+        // IP address. This is the most secure option.
+        $identifier = $user->id();
+      }
+      else {
+        // The default identifier is a combination of uid and IP address. This
+        // is less secure but more resistant to denial-of-service attacks that
+        // could lock out all users with public user names.
+        $identifier = $user->id() . '-' . $request->getClientIP();
+      }
+      $this->flood->clear('user.failed_login_ip');
+      $this->flood->clear('user.failed_login_user', $identifier);
+
       user_login_finalize($user);
       $this->logger->notice('User %name used one-time login link at time %timestamp.', ['%name' => $user->getDisplayName(), '%timestamp' => $timestamp]);
       drupal_set_message($this->t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.'));
diff --git a/core/modules/user/src/Tests/UserLoginTest.php b/core/modules/user/src/Tests/UserLoginTest.php
index d92c1c7..a83e0c6 100644
--- a/core/modules/user/src/Tests/UserLoginTest.php
+++ b/core/modules/user/src/Tests/UserLoginTest.php
@@ -63,16 +63,23 @@ public function testGlobalLoginFloodControl() {
     // A login with the correct password should also result in a flood error
     // message.
     $this->assertFailedLogin($user1, 'ip');
+    $this->resetUserPassword($user1);
+    $this->drupalLogout();
+    // Try to login as user 1, it should be successful.
+    $this->drupalLogin($user1);
+    $this->assertNoRaw('Too many failed login attempts from your IP address.');
   }
 
   /**
    * Test the per-user login flood control.
    */
   public function testPerUserLoginFloodControl() {
+    $user_limit = 3;
+
     $this->config('user.flood')
       // Set a high global limit out so that it is not relevant in the test.
       ->set('ip_limit', 4000)
-      ->set('user_limit', 3)
+      ->set('user_limit', $user_limit)
       ->save();
 
     $user1 = $this->drupalCreateUser([]);
@@ -103,6 +110,12 @@ public function testPerUserLoginFloodControl() {
     // Try one more attempt for user 1, it should be rejected, even if the
     // correct password has been used.
     $this->assertFailedLogin($user1, 'user');
+    $this->resetUserPassword($user1);
+    $this->drupalLogout();
+
+    // Try to login as user 1, it should be successful.
+    $this->drupalLogin($user1);
+    $this->assertNoRaw('There have been more than ' . $user_limit . ' failed login attempts for this account.');
   }
 
   /**
@@ -175,4 +188,23 @@ public function assertFailedLogin($account, $flood_trigger = NULL) {
     }
   }
 
+  /**
+   * Reset user password.
+   *
+   * @param object $user
+   *   A user object.
+   */
+  public function resetUserPassword($user) {
+    $this->drupalGet('user/password');
+    $edit['name'] = $user->getUsername();
+    $this->drupalPostForm(NULL, $edit, 'Submit');
+    $_emails = $this->drupalGetMails();
+    $email = end($_emails);
+    $urls = [];
+    preg_match('#.+user/reset/.+#', $email['body'], $urls);
+    $resetURL = $urls[0];
+    $this->drupalGet($resetURL);
+    $this->drupalPostForm(NULL, NULL, 'Log in');
+  }
+
 }