diff --git a/core/modules/user/src/Controller/UserController.php b/core/modules/user/src/Controller/UserController.php
index be1b03d..46e6174 100644
--- a/core/modules/user/src/Controller/UserController.php
+++ b/core/modules/user/src/Controller/UserController.php
@@ -14,6 +14,7 @@
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Drupal\Core\Datetime\DateFormatter;
 use Drupal\user\UserStorageInterface;
+use Drupal\Component\Utility\Crypt;
 
 /**
  * Controller routines for user routes.
@@ -81,7 +82,19 @@ public function resetPass($uid, $timestamp, $hash) {
     if ($account->isAuthenticated()) {
       // The current user is already logged in.
       if ($account->id() == $uid) {
-        drupal_set_message($this->t('You are logged in as %user. <a href="!user_edit">Change your password.</a>', array('%user' => $account->getUsername(), '!user_edit' => $this->url('entity.user.edit_form', array('user' => $account->id())))));
+        // The user is already logged in, but is shown a message inviting them to
+        // change their password, since that may be their intent. Let the user's
+        // password be changed without the current password check, as even though
+        // they are logged in, they may not know it.
+        // See https://drupal.org/node/889772 for background.
+        $token = Crypt::randomBytesBase64(55);
+        $_SESSION['pass_reset_' . $account->id()] = $token;
+        drupal_set_message(t('You are logged in as %user. <a href="!user_edit">Change your password.</a>', array(
+          '%user' => $account->getUsername(),
+          '!user_edit' => url("user/" . $account->id() . "/edit", array(
+            'query' => array('pass-reset-token' => $token),
+          )),
+        )));
       }
       // A different user is already logged in on the computer.
       else {