diff --git a/core/modules/rest/src/Plugin/rest/resource/UserLoginResource.php b/core/modules/rest/src/Plugin/rest/resource/UserLoginResource.php
index ed9b0c5..daf3640 100644
--- a/core/modules/rest/src/Plugin/rest/resource/UserLoginResource.php
+++ b/core/modules/rest/src/Plugin/rest/resource/UserLoginResource.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\rest\Plugin\rest\resource;
 
+use Drupal\Component\Utility\Html;
 use Drupal\Core\Config\ConfigFactoryInterface;
 use Drupal\Core\Flood\FloodInterface;
 use Drupal\rest\ResourceResponse;
@@ -88,20 +89,29 @@ public static function create(ContainerInterface $container, array $configuratio
    */
   public function post(array $operation = array()) {
 
-    switch ($operation['op']) {
+    if (array_key_exists('op', $operation)) {
+      switch ($operation['op']) {
 
-      case 'login':
-        if (!empty($operation['credentials'])) {
+        case 'login':
+          if (!array_key_exists('credentials', $operation)) {
+            $operation['credentials'] = array();
+          }
           return $this->login($operation['credentials']);
-        }
-        throw new BadRequestHttpException('Missing credentials.');
 
-      case 'logout':
-        return $this->logout();
+        case 'status':
+          return $this->status();
 
-      default:
-        throw new BadRequestHttpException('Unsupported op.');
+        case 'logout':
+          return $this->logout();
 
+        default:
+          // TODO: do we have to escape?
+          throw new BadRequestHttpException('Unsupported op '. Html::escape($operation['op']) . '.');
+
+      }
+    }
+    else {
+      throw new BadRequestHttpException('No op found.');
     }
   }
 
@@ -115,6 +125,14 @@ public function post(array $operation = array()) {
    *   The HTTP response object
    */
   protected function login(array $credentials = array()) {
+    if ($this->userIsAuthenticated()) {
+      throw new BadRequestHttpException('You need to logout first.');
+    }
+
+    if (empty($credentials)) {
+      throw new BadRequestHttpException('Missing credentials.');
+    }
+
     // Verify that the username is filled.
     if (!array_key_exists('name', $credentials)) {
       throw new BadRequestHttpException('Missing credentials.name.');
@@ -138,21 +156,36 @@ protected function login(array $credentials = array()) {
     if ($uid = \Drupal::service('user.auth')->authenticate($credentials['name'], $credentials['pass'])) {
       $user = User::load($uid);
       user_login_finalize($user);
-      return new ResourceResponse('You are logged in as ' . $credentials['name'], 200, array());
+      return new ResourceResponse('You are logged in as ' . $credentials['name'] . '.', 200, array());
     }
 
     $this->flood->register('rest.login_cookie', $this->configFactory->get('user.flood')->get('user_window'));
     throw new BadRequestHttpException('Sorry, unrecognized username or password.');
   }
 
-  /**
+  protected function userIsAuthenticated() {
+    return \Drupal::currentUser()->isAuthenticated();
+
+  }
+  protected function status() {
+    if (\Drupal::currentUser()->isAuthenticated()) {
+      return new ResourceResponse('You are logged in.', 200, array());
+    }
+    return new ResourceResponse('You are not logged in.', 200, array());
+  }
+
+    /**
    * User Logout.
    *
    * @return ResourceResponse
    */
   protected function logout() {
+    if (!\Drupal::currentUser()->isAuthenticated()) {
+      throw new BadRequestHttpException('You cannot logout as you are not logged in.');
+    }
+
     user_logout();
-    return new ResourceResponse('Logged out!', 200, array());
+    return new ResourceResponse('You are logged out.', 200, array());
   }
 
   /**
diff --git a/core/modules/rest/src/Tests/UserTest.php b/core/modules/rest/src/Tests/UserTest.php
index 3bf00e7..66505e6 100644
--- a/core/modules/rest/src/Tests/UserTest.php
+++ b/core/modules/rest/src/Tests/UserTest.php
@@ -24,7 +24,7 @@ class UserTest extends RESTTestBase {
   public static $modules = array('basic_auth', 'hal', 'rest');
 
   /**
-   * Tests login, status, logout.
+   * Test user session life cycle.
    */
   public function testLogin() {
     $this->defaultAuth = array('basic_auth');
@@ -39,42 +39,54 @@ public function testLogin() {
 
     $basic_auth = ['Authorization: Basic ' . base64_encode("$name:$pass")];
 
-    $payload = $this->getPayload('login', $name, $pass);
+    $payload = array();
     $this->httpRequest('user_login', 'POST', json_encode($payload), $this->defaultMimeType, $basic_auth);
-    $this->assertResponse('200', 'Successfully logged into Drupal.');
+    $this->assertResponseAndText(400, 'No op found.');
+
+    $payload = $this->getPayload('garbage');
+    $this->httpRequest('user_login', 'POST', json_encode($payload), $this->defaultMimeType, $basic_auth);
+    $this->assertResponseAndText(400, 'Unsupported op garbage.');
+
+    $payload = $this->getPayload('status');
+    $this->httpRequest('user_login', 'POST', json_encode($payload), $this->defaultMimeType, $basic_auth);
+    $this->assertResponseAndText(200, 'You are logged in.');
+
+    $payload = $this->getPayload('logout');
+    $this->httpRequest('user_login', 'POST', json_encode($payload), $this->defaultMimeType, $basic_auth);
+    $this->assertResponseAndText(200, 'You are logged out.', $basic_auth);
 
     $payload = $this->getPayload('login');
     $this->httpRequest('user_login', 'POST', json_encode($payload), $this->defaultMimeType, $basic_auth);
-    $this->assertResponse('400', 'Missing credentials.');
+    $this->assertResponseAndText(400, 'Missing credentials.');
 
     $payload = $this->getPayload('login', $name);
     $this->httpRequest('user_login', 'POST', json_encode($payload), $this->defaultMimeType, $basic_auth);
-    $this->assertResponse('400', 'Missing credentials.name.');
+    $this->assertResponseAndText(400, 'Missing credentials.pass.');
 
     $payload = $this->getPayload('login', NULL, $pass);
     $this->httpRequest('user_login', 'POST', json_encode($payload), $this->defaultMimeType, $basic_auth);
-    $this->assertResponse('400', 'Missing credentials.pass.');
+    $this->assertResponseAndText(400, 'Missing credentials.name.');
 
     $payload = $this->getPayload('login', $name, 'garbage');
     $this->httpRequest('user_login', 'POST', json_encode($payload), $this->defaultMimeType, $basic_auth);
-    $this->assertResponse('400', 'Sorry, unrecognized username or password.');
+    $this->assertResponseAndText(400, 'Sorry, unrecognized username or password.');
 
     $payload = $this->getPayload('login', 'garbage', $pass);
     $this->httpRequest('user_login', 'POST', json_encode($payload), $this->defaultMimeType, $basic_auth);
-    $this->assertResponse('400', 'Sorry, unrecognized username or password.');
+    $this->assertResponseAndText(400, 'Sorry, unrecognized username or password.');
 
-    $payload = $this->getPayload('status');
+    $payload = $this->getPayload('login', $name, $pass);
     $this->httpRequest('user_login', 'POST', json_encode($payload), $this->defaultMimeType, $basic_auth);
-    $this->assertResponse('200', 'You are not logged in.');
+    $this->assertResponseAndText(200, "You are logged in as $name");
 
-    $payload = $this->getPayload('garbage');
+    $payload = $this->getPayload('status');
     $this->httpRequest('user_login', 'POST', json_encode($payload), $this->defaultMimeType, $basic_auth);
-    $this->assertResponse('400', 'Unsupported op.');
-
-    $payload = $this->getPayload('logout');
-    //$this->httpRequest('user_login', 'POST', json_encode($payload), $this->defaultMimeType);
-    $this->assertResponse('200', 'Successfully logged out from Drupal.', $basic_auth);
+    $this->assertResponseAndText(200, 'You are logged in.');
+  }
 
+  protected function assertResponseAndText($code, $text) {
+    $this->assertResponse($code);
+    $this->assertText($text);
   }
 
   /**