Drupal is a registered trademark of Dries Buytaert
cva Module cva crossed 1,000 active installs. ai_dashboard Module ai_dashboard crossed 1,000 active installs.
← All modules

disable_login_by_domain

146 sites Security covered
View on drupal.org

This module tries to prevent users from logging in on certain domains (or all domains).

Warning: This module is not designed as a security tool; instead, it is intended for convenience. See both the use case and security considerations below.

Use case

Here's an example use case. Imagine that you use a CDN for public traffic to your Drupal site, at URL https://www.example.com. Public traffic users are not supposed to log into Drupal; only your internal staff can log in (e.g., to edit pages).

Your staff uses the "origin" URL to log into Drupal, at https://manage.example.com. This URL is only available behind a VPN.

For this reason, no one should be allowed to log into Drupal on the public/CDN domain name. They shouldn't even be allowed to try to log in.

This module helps to achieve that goal. It blocks the user login forms when they are accessed on the public domain name.

Features

You can list which domains to affect. Drupal tries to prevent users from logging in, whenever using one of these domains. Specifically, Drupal does these things on those domains:

  • Disables the login page
  • Disables the User login block
  • Disables the user login form itself
  • If a user finds another way to log in, this stops a user from actually getting logged in

Installation

  1. Install like any other module
  2. Manage the domains at /admin/config/people/disable-login-by-domain

Similar modules

These are similar modules:

  • Prevent Login: Disables the login page entirely, regardless of which domain you're on.
  • Disable user login and registration: Also disables the login and password-reset pages, but you can configure which one(s) to block.
  • Limit Domain Access By Role: Stops a user from logging in on certain domains. However, the page page and login form are still available on those domains.
  • Disable login: Blocks access to the login page unless you have a special key in the URL.
  • Login disable: Very similar to the previous module, except this one blocks the login form itself. Along with this, it tries to log out a user if they do find a way to log in.

Security considerations

This module uses the Host/X-Forwarded-Host request header to determine the site's domain name. This header could be overridden by a malicious user, allowing them to circumvent the protections provided by this module. To do this, they could send a value that is both 1) not a blocked domain and 2) is in the
trusted host list (assuming that list is set; if not set, do it ASAP, see next).

To help protect against this sort of attack, set Drupal's Trusted Host
Settings. Setting this list does not guarantee an attacker cannot bypass this module, but
does make it harder.

Activity

Total releases
1
First release
Apr 2025
Latest release
10 months ago
Release cadence
Stability
100% stable

Releases

Version Type Release date
1.2.0 Stable Apr 18, 2025