Apache/php Tmp directory

Letting users upload files to your server can be very risky. If you’re not careful, you could get users uploading all sorts of files which could be harmful for out of disk and tons of virus in your server.

Let’s go into very interesting topic of  tmp folder

/tmp folder gets cleared on shutdown or boot time but never effect in runtime. Even if /tmp is getting cleared at runtime any decent script wouldn’t delete a file that new.

check the script timeout settings in phpinfo(). PHP may be terminating the script because its taking too long to upload (ie, the script is taking too long to execute).

Timeouts Connection: 300 – Keep-Alive: 5

default_socket_timeout 60 60


Set upload_tmp_dir to a folder that is:

  • upload_tmp_dir allows you to specify where uploaded files should be saved until the handling script moves them to a more permanent location.
  • The temporary directory used for storing files when doing file upload. Must be writable by whatever user PHP is running as. If not specified PHP will use the system’s default.
  • outside the document root of your web site
  • not readable or writable by any other system users

You can set upload_tmp_dir in the php.ini file:

Set upload_tmp_dir to a safe location

upload_tmp_dir = /var/www/foo.bar/sessions

ini_set(‘upload_tmp_dir’, ‘/path/to/dir’);

The setting can also be applied in apache’s httpd.conf file, or an .htaccess file:

# Set upload_tmp_dir to a safe location

php_value    upload_tmp_dir    /var/www/foo.bar/sessions

This entry was posted in Apache, Categories. Bookmark the permalink.