4.6.x user.module user_login($edit = array(), $msg = '')
4.7.x user.module user_login($msg = '')
5.x user.module user_login()
6.x user.module user_login(&$form_state)
7.x user.module user_login($form, &$form_state)

Form builder; the main user login form.

Related topics

4 string references to 'user_login'
TriggerOtherTestCase::testActionsUser in modules/trigger/trigger.test
Tests triggering on user create and user login.
TriggerUserTokenTestCase::testUserTriggerTokenReplacement in modules/trigger/trigger.test
Tests a variety of token replacements in actions.
trigger_test_action_info in modules/trigger/tests/trigger_test.module
Implements hook_action_info().
trigger_user_login in modules/trigger/trigger.module
Implements hook_user_login().


modules/user/user.module, line 2103
Enables the user registration and login system.


function user_login($form, &$form_state) {
  global $user;

  // If we are already logged on, go to the user page instead.
  if ($user->uid) {
    drupal_goto('user/' . $user->uid);

  // Display login form:
  $form['name'] = array(
    '#type' => 'textfield',
    '#title' => t('Username'),
    '#size' => 60,
    '#maxlength' => USERNAME_MAX_LENGTH,
    '#required' => TRUE,
  $form['name']['#description'] = t('Enter your @s username.', array(
    '@s' => variable_get('site_name', 'Drupal'),
  $form['pass'] = array(
    '#type' => 'password',
    '#title' => t('Password'),
    '#description' => t('Enter the password that accompanies your username.'),
    '#required' => TRUE,
  $form['#validate'] = user_login_default_validators();
  $form['actions'] = array(
    '#type' => 'actions',
  $form['actions']['submit'] = array(
    '#type' => 'submit',
    '#value' => t('Log in'),
  return $form;


nmanela’s picture

While creating an external login module, I wanted to modify the login block and page to provide the external login link and disable the Drupal username and password fields. However, I needed to create a different path that will still allow the superadmin user to login with his/her Drupal account.

I added this menu callback:

   $items['backdoor'] = array(
    'title' => 'Admin Login',
    'description' => 'Use when can\'t login externally',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('user_login'),
    'access arguments' => array('access content'),

Then in the form_alter, I've disabled the username and password, except for the backdoor page:

function yourmodule_form_alter(&$form, $form_state, $form_id) {
  switch ($form_id) {
    case 'user_login':
    case 'user_login_block':  

      // only allow for Drupal login fields if this is the /backdoor page
      if (strcmp(current_path(),"backdoor")!=0) {
        $form['name']['#access'] = FALSE;
        $form['pass']['#access'] = FALSE;
	$form['#submit'][] = 'yourmodule_external_submit';
	$form['#validate'][] = 'yourmodule_external_validate';
Garrett Albright’s picture

So what's the URL of your site? I want to, erm, take a look at something.

In all seriousness, this is a really bad idea. Someone will find that back door and pwn your site; it's only a matter of time. Please pretend that you never saw the above post, everyone.

ChaseOnTheWeb’s picture

Someone will find that back door and pwn your site

As best I can tell all the menu callback is doing is exposing the form callback for user/login at another path, so that there's still a way to log into local accounts (like uid 1) if you're using an external auth module that replaces the login page. Anyone who finds this "backdoor" is still going to have to log in with a valid drupal account. I'd appreciate if someone could spell out the concern, as I have a use case to do something like this.