4.6.x user.module user_authenticate($name, $pass)
4.7.x user.module user_authenticate($name, $pass)
5.x user.module user_authenticate($name, $pass)
6.x user.module user_authenticate($form_values = array())
7.x user.module user_authenticate($name, $password)

Try to log in the user locally.


$form_values: Form values with at least 'name' and 'pass' keys, as well as anything else which should be passed along to hook_user op 'login'.

Return value

A $user object, if successful.

4 calls to user_authenticate()
blogapi_validate_user in modules/blogapi/blogapi.module
Ensure that the given user has permission to edit a blog.
install_configure_form_submit in ./install.php
Form API submit for the site configuration form.
user_login_authenticate_validate in modules/user/user.module
A validate handler on the login form. Check supplied username/password against local users table. If successful, sets the global $user object.
user_register_submit in modules/user/user.module
Submit handler for the user registration form.


modules/user/user.module, line 1389
Enables the user registration and login system.


function user_authenticate($form_values = array()) {
  global $user;

  // Load the account to check if the e-mail is denied by an access rule.
  // Doing this check here saves us a user_load() in user_login_name_validate()
  // and introduces less code change for a security fix.
  $account = user_load(array(
    'name' => $form_values['name'],
    'pass' => trim($form_values['pass']),
    'status' => 1,
  if ($account && drupal_is_denied('mail', $account->mail)) {
    form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array(
      '%name' => $account->name,

  // Name and pass keys are required.
  // The user is about to be logged in, so make sure no error was previously
  // encountered in the validation process.
  if (!form_get_errors() && !empty($form_values['name']) && !empty($form_values['pass']) && $account) {
    $user = $account;
    return $user;
  else {
    watchdog('user', 'Login attempt failed for %user.', array(
      '%user' => $form_values['name'],


chriscohen’s picture

A simple example to programatically register a new user and log them in:

// Set basic details for the new user.
$params = array(
  'mail'   => 'foo@example.com',
  'name'   => 'foo',
  'pass'   => 'bar', // No need to hash the password
  'status' => 1, // Otherwise the user is blocked on creation

// Create the account. The first parameter is not needed unless updating an existing account.
$account = user_save(NULL, $params);

// Log the user in. $params array must have a minimum of 'name' and 'pass' keys.
$account = user_authenticate($params);
SuNcO’s picture

I use the user_authenticate and it works because the $account var contains uid and some stuff, but I can't see the session cookie

Lets say i have drupal in:


and the user_authenticate is used on:


when i go to the first url, the logged user is gone

Elementica’s picture