The settings.php file is the main configuration file for a Drupal site where a number of system variables, among other things, may be configured. In Drupal 7, there is an optional setting, $base_url, which specifies the absolute URL of the installation.
This is often used when generating site URLs, for example, when using Drush to log in as another user.
drush user-login
This will log you in as admin user (uid: 1). To log in as another user, you can add an option after the command — either a uid, user name, or email address for the user, e.g.
drush user-login user4@example.com
This command generates a one-time login for the user, opens the default browser and logs the user in. If this is not possible, such as when the $base_url is not set, then a link like this is displayed:
http://default/user/reset/1/1504565200/Pnf1LYYAGH7ajmReIxhKqzt_5xrVQrTXcS2NyRmoR9U/login
The "default" may then be replaced with the correct URL and copied into a browser's address bar.
If you would like to be redirected immediately after logging in, you can add it as a second option to the Drush command:
drush user-login user4@example.com node/add/article
This time, you must have $base_url set for it to work properly, as the generated URL will not work. You will still get the reset login with http://default, however.
Problem
There is a known security flaw that can be exploited if the webserver has been configured to forward any HTTP request to Drupal regardless of the domain name in the request. A malicious person can make an HTTP POST request that modifies the domain in the password reset link.
Solution
The solution is to use a different approach in Drupal 8.
Symfony has a mechanism for preventing HTTP Host header spoofing. In order to enable it, provide a whitelist in an array of regular expression patterns for the hosts to allow $settings['trusted_host_patterns'] in settings.php. For example:
$settings['trusted_host_patterns'] = array(
'^www\.example\.com$',
'^example\.com$',
);
Since this is a better solution to counter the danger of URL spoofing, $base_url was removed from settings.php in Drupal 8. If you need to rewrite the request URL, the .htaccess file is a good place to do it. For specifying where CSS/JS files are to be loaded from, you can set $settings['file_public_base_url'] in settings.php.
The drush user-login command will still have no knowledge of the domain. This can be provided as an option to Drush. Create sites/default/drushrc.php, if you do not have it already, and add the site domain to your options as follows:
$options['uri'] = 'http://www.example.com';
This restores the original behaviour of the drush user-login, a.k.a. drush uli when $base_url has been set.
