Newer Post

Where Is drupal_goto() in Drupal 8?

Older Post

A Functional Programming Primer

Where Is the base_url Option in Drupal 8?

The settings.php file is the main configuration file for a Drupal site where a number of system variables, among other things, may be configured. In Drupal 7, there is an optional setting, $base_url, which specifies the absolute URL of the installation.

This is often used when generating site URLs, for example, when using Drush to log in as another user.

drush user-login  

This will log you in as admin user (uid: 1). To log in as another user, you can add an option after the command — either a uid, user name, or email address for the user, e.g.

drush user-login user4@example.com  

This command generates a one-time login for the user, opens the default browser and logs the user in. If this is not possible, such as when the $base_url is not set, then a link like this is displayed:

http://default/user/reset/1/1504565200/Pnf1LYYAGH7ajmReIxhKqzt_5xrVQrTXcS2NyRmoR9U/login  

The "default" may then be replaced with the correct URL and copied into a browser's address bar.

If you would like to be redirected immediately after logging in, you can add it as a second option to the Drush command:

drush user-login user4@example.com node/add/article  

This time, you must have $base_url set for it to work properly, as the generated URL will not work. You will still get the reset login with http://default, however.

Problem

There is a known security flaw that can be exploited if the webserver has been configured to forward any HTTP request to Drupal regardless of the domain name in the request. A malicious person can make an HTTP POST request that modifies the domain in the password reset link.

Solution

The solution is to use a different approach in Drupal 8.

Symfony has a mechanism for preventing HTTP Host header spoofing. In order to enable it, provide a whitelist in an array of regular expression patterns for the hosts to allow $settings['trusted_host_patterns'] in settings.php. For example:

$settings['trusted_host_patterns'] = array(
    '^www\.example\.com$',
    '^example\.com$',
);

Since this is a better solution to counter the danger of URL spoofing, $base_url was removed from settings.php in Drupal 8. If you need to rewrite the request URL, the .htaccess file is a good place to do it. For specifying where CSS/JS files are to be loaded from, you can set $settings['file_public_base_url'] in settings.php.

The drush user-login command will still have no knowledge of the domain. This can be provided as an option to Drush. Create sites/default/drushrc.php, if you do not have it already, and add the site domain to your options as follows:

$options['uri'] = 'http://www.example.com';

This restores the original behaviour of the drush user-login, a.k.a. drush uli when $base_url has been set.

We'll help you unleash.

Join the 20,000 developers who subscribe to our newsletter.

Scale your
Development team

We help you execute projects by providing trusted developers who can join your team and immediately start delivering high-quality code.

Hire Developers
code, drupal