Drupal is a registered trademark of Dries Buytaert
drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)! drupal 11.3.6 Update released for Drupal core (11.3.6)! drupal 10.6.6 Update released for Drupal core (10.6.6)! cms 2.1.0 Update released for Drupal core (2.1.0)! bootstrap 8.x-3.40 Minor update available for theme bootstrap (8.x-3.40). menu_link_attributes 8.x-1.7 Minor update available for module menu_link_attributes (8.x-1.7). eca 3.1.1 Minor update available for module eca (3.1.1). layout_paragraphs 2.1.3 Minor update available for module layout_paragraphs (2.1.3). ai 1.3.3 Minor update available for module ai (1.3.3). ai 1.2.14 Minor update available for module ai (1.2.14). node_revision_delete 2.0.3 Minor update available for module node_revision_delete (2.0.3). moderated_content_bulk_publish 2.0.52 Minor update available for module moderated_content_bulk_publish (2.0.52). klaro 3.0.10 Minor update available for module klaro (3.0.10). klaro 3.0.9 Minor update available for module klaro (3.0.9). layout_paragraphs 2.1.2 Minor update available for module layout_paragraphs (2.1.2). geofield_map 11.1.8 Minor update available for module geofield_map (11.1.8).
← All modules

auto_login_url

1,101 sites Security covered
View on drupal.org

Version 3.1.3 Released!

Stable release 3.1.3 is now available. This major release introduces powerful per-URL configuration, enhanced security, comprehensive test coverage, and full Drupal 10.3+ and Drupal 11 support.

Key New Features:

  • Admin UI: new fully functional Admin UI to manage auto logins URL's and generate as needed with expiration and one time overrides per URL.
  • Per-URL Custom Expiration: Set different expiration times for individual URLs (e.g., 5 minutes for password resets, 30 days for email campaigns)
  • Per-URL One-Time Use: Configure individual URLs to be single-use or reusable, independent of global settings
  • Enhanced Security: Rate limiting, flood protection, IP validation, and cryptographic token generation
  • Comprehensive Testing: 35 PHPUnit tests with 228 assertions, 100% PHPCS compliance, PHPStan Level 6 analysis
  • Modern Platform Support: Drupal 10.3+ and Drupal 11, PHP 8.1+

100% Backward Compatible: Existing code continues to work without any changes. New parameters are optional.

Please report any issues against the 3.0.x branch in the issue queue.

Overview

Creates auto login URLs on demand and through tokens. This is primarily a developer's module that provides a secure way to create time-limited, cryptographically signed URLs for passwordless authentication.

The module excels at converting all links in content to auto login links, making it perfect for email campaigns and user notifications.

It provides two built-in tokens for use with mass emailing modules like simplenews.

Use Cases

Create auto login URLs for a user:

<?php
// Drupal 10/11 - Basic usage
$url = auto_login_url_create($uid, '/user');

// With absolute URL
$url = auto_login_url_create($uid, '/user', TRUE);

// NEW in 3.0.0: Per-URL configuration
// Short-lived one-time URL for password reset (5 minutes)
$url = auto_login_url_create($uid, '/user/edit', TRUE, 300, TRUE);

// Long-lived reusable URL for email campaign (30 days)
$url = auto_login_url_create($uid, '/dashboard', TRUE, 2592000, FALSE);

// Using the service directly
$alu_service = \Drupal::service('auto_login_url.create');
$url = $alu_service->create($uid, $destination, TRUE, $custom_expiration, $one_time_use);
?>

Convert all links in text to auto login URLs:

<?php
// Convert text
$text = 'Visit your profile at https://example.com/user/123';
$auto_login_text = auto_login_url_convert_text($uid, $text);

// Using the service directly
$converter = \Drupal::service('auto_login_url.text_converter');
$auto_login_text = $converter->convertText($uid, $text);
?>

Available Tokens

Use these tokens in email templates, simplenews, or anywhere user tokens are available:

  • [user:auto-login-url-token] - Auto login URL to site front page
  • [user:auto-login-url-account-edit-token] - Auto login URL to user's account edit page

Creating Custom Tokens

You can easily create new tokens programmatically using Auto Login URL functions:

<?php
/**
 * Implements hook_token_info().
 */
function my_module_token_info() {
  $info = [];

  // Custom token for user profile page.
  $info['tokens']['user']['auto-login-url-account-token'] = [
    'name' => t("Auto Login URL account view"),
    'description' => t('Auto login URL for the user account page.'),
  ];

  return $info;
}

/**
 * Implements hook_tokens().
 */
function my_module_tokens($type, $tokens, array $data = [], array $options = []) {
  $replacements = [];

  if ($type == 'user' && !empty($data['user'])) {
    $user = $data['user'];

    foreach ($tokens as $name => $original) {
      if ($name === 'auto-login-url-account-token') {
        $uid = (int) $user->id();
        $path = '/user/' . $uid;
        $replacements[$original] = auto_login_url_create($uid, $path, TRUE);
      }
    }
  }

  return $replacements;
}
?>

Features

  • Secure URL Generation: Cryptographically secure HMAC-based signatures
  • Per-URL Configuration: Custom expiration and one-time use settings per URL (in 3.* releases)
  • Flexible Destinations: Support for any internal or external URL after login
  • Token Integration: Built-in Drupal token support
  • Text Link Conversion: Automatically convert existing links to auto-login URLs
  • Rate Limiting: Configurable limits to prevent abuse (default: 10 URLs per hour per user)
  • Flood Protection: Built-in protection against brute force attacks
  • IP Validation: Optional IP address validation for enhanced security
  • Usage Analytics: Optional tracking with configurable data retention
  • Health Monitoring: Built-in health check endpoint
  • Automated Cleanup: Cron-based cleanup of expired tokens

Requirements

  • Drupal: 10.3+ or 11.x
  • PHP: 8.1+
  • Recommended: Token module for enhanced token integration

Installation

composer require drupal/auto_login_url
drush en auto_login_url

Configure at: Administration → People → Auto Login URL

Security

This module implements multiple layers of security:

  • Cryptographic signatures using HMAC with site-specific keys
  • Time-based expiration (all tokens expire automatically)
  • Rate limiting to prevent abuse
  • Flood protection against brute force attacks
  • User validation (active, not blocked)
  • Optional IP address restriction
  • Secure random number generation
  • Hash format validation to prevent injection attacks

Best Practice: Use the shortest practical expiration time for your use case. Enable one-time use for sensitive operations like password resets.

Similar Modules

A similar module you may want to evaluate is URL Login. Auto Login URL was created to provide an easier API for creating tokens and URLs on demand, with flexible per-URL configuration options.

Support

Credits

Maintainers:

Originally developed by: Thanos Nokas

Originally sponsored by: Human Factor

License

GPL-2.0-or-later

Activity

Total releases
6
First release
Jun 2025
Latest release
5 months ago
Release cadence
30 days
Stability
83% stable

Release Timeline

Releases

Version Type Release date
3.1.3 Stable Nov 5, 2025
3.1.2 Stable Nov 5, 2025
3.1.1 Stable Oct 20, 2025
3.1.0 Stable Oct 20, 2025
3.0.0 Stable Oct 19, 2025
3.x-dev Dev Jun 10, 2025