diff --git a/core/modules/user/src/Controller/UserController.php b/core/modules/user/src/Controller/UserController.php
index be1b03d..058cd02 100644
--- a/core/modules/user/src/Controller/UserController.php
+++ b/core/modules/user/src/Controller/UserController.php
@@ -81,7 +81,19 @@ public function resetPass($uid, $timestamp, $hash) {
if ($account->isAuthenticated()) {
// The current user is already logged in.
if ($account->id() == $uid) {
- drupal_set_message($this->t('You are logged in as %user. Change your password.', array('%user' => $account->getUsername(), '!user_edit' => $this->url('entity.user.edit_form', array('user' => $account->id())))));
+ // The user is already logged in, but is shown a message inviting them to
+ // change their password, since that may be their intent. Let the user's
+ // password be changed without the current password check, as even though
+ // they are logged in, they may not know it.
+ // See https://drupal.org/node/889772 for background.
+ $token = Crypt::randomBytesBase64(55);
+ $_SESSION['pass_reset_' . $account->id()] = $token;
+ drupal_set_message(t('You are logged in as %user. Change your password.', array(
+ '%user' => $account->getUsername(),
+ '!user_edit' => url("user/" . $account->id() . "/edit", array(
+ 'query' => array('pass-reset-token' => $token),
+ )),
+ )));
}
// A different user is already logged in on the computer.
else {