settings.php file is the main configuration file for a Drupal site where a number of system variables, among other things, may be configured. In Drupal 7, there is an optional setting,
$base_url, which specifies the absolute URL of the installation.
This is often used when generating site URLs, for example, when using Drush to log in as another user.
This will log you in as admin user (uid: 1). To log in as another user, you can add an option after the command — either a uid, user name, or email address for the user, e.g.
drush user-login firstname.lastname@example.org
This command generates a one-time login for the user, opens the default browser and logs the user in. If this is not possible, such as when the
$base_url is not set, then a link like this is displayed:
The "default" may then be replaced with the correct URL and copied into a browser's address bar.
If you would like to be redirected immediately after logging in, you can add it as a second option to the Drush command:
drush user-login email@example.com node/add/article
This time, you must have
$base_url set for it to work properly, as the generated URL will not work. You will still get the reset login with
There is a known security flaw that can be exploited if the webserver has been configured to forward any HTTP request to Drupal regardless of the domain name in the request. A malicious person can make an HTTP POST request that modifies the domain in the password reset link.
The solution is to use a different approach in Drupal 8.
Symfony has a mechanism for preventing HTTP Host header spoofing. In order to enable it, provide a whitelist in an array of regular expression patterns for the hosts to allow
settings.php. For example:
$settings['trusted_host_patterns'] = array( '^www\.example\.com$', '^example\.com$', );
Since this is a better solution to counter the danger of URL spoofing,
$base_url was removed from
settings.php in Drupal 8. If you need to rewrite the request URL, the
.htaccess file is a good place to do it. For specifying where CSS/JS files are to be loaded from, you can set
drush user-login command will still have no knowledge of the domain. This can be provided as an option to Drush. Create
sites/default/drushrc.php, if you do not have it already, and add the site domain to your options as follows:
$options['uri'] = 'http://www.example.com';
This restores the original behaviour of the
drush user-login, a.k.a.
drush uli when
$base_url has been set.