The settings.php file is the main configuration file for a Drupal site where a number of system variables, among other things, may be configured. In Drupal 7, there is an optional setting, $base_url, which specifies the absolute URL of the installation.

This is often used when generating site URLs, for example, when using Drush to log in as another user.

drush user-login

This will log you in as admin user (uid: 1). To log in as another user, you can add an option after the command — either a uid, user name, or email address for the user, e.g.

drush user-login

This command generates a one-time login for the user, opens the default browser and logs the user in. If this is not possible, such as when the $base_url is not set, then a link like this is displayed:


The "default" may then be replaced with the correct URL and copied into a browser's address bar.

If you would like to be redirected immediately after logging in, you can add it as a second option to the Drush command:

drush user-login node/add/article

This time, you must have $base_url set for it to work properly, as the generated URL will not work. You will still get the reset login with http://default, however.


There is a known security flaw that can be exploited if the webserver has been configured to forward any HTTP request to Drupal regardless of the domain name in the request. A malicious person can make an HTTP POST request that modifies the domain in the password reset link.


The solution is to use a different approach in Drupal 8.

Symfony has a mechanism for preventing HTTP Host header spoofing. In order to enable it, provide a whitelist in an array of regular expression patterns for the hosts to allow $settings['trusted_host_patterns'] in settings.php. For example:

$settings['trusted_host_patterns'] = array(

Since this is a better solution to counter the danger of URL spoofing, $base_url was removed from settings.php in Drupal 8. If you need to rewrite the request URL, the .htaccess file is a good place to do it. For specifying where CSS/JS files are to be loaded from, you can set $settings['file_public_base_url'] in settings.php.

The drush user-login command will still have no knowledge of the domain. This can be provided as an option to Drush. Create sites/default/drushrc.php, if you do not have it already, and add the site domain to your options as follows:

$options['uri'] = '';

This restores the original behaviour of the drush user-login, a.k.a. drush uli when $base_url has been set.