set the upper boundary to 1 year max.

being generous adding 1 day for leap ones.

Author: devnexen

ext/session/session.c

@@ -30,6 +30,7 @@
 
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <time.h>
 
 #include "php_ini.h"
 #include "SAPI.h"
@@ -694,7 +695,17 @@ static PHP_INI_MH(OnUpdateCookieLifetime) /* {{{ */
 	SESSION_CHECK_ACTIVE_STATE;
 	SESSION_CHECK_OUTPUT_STATE;
 
-	const zend_long maxcookie = ZEND_LONG_MAX / 2 ;
+	struct tm *tm, p;
+	time_t n = time(NULL);
+	zend_long maxcookie = 31536000 ;
+
+	tm = php_localtime_r(&n, &p);
+	int y = tm->tm_year + 1900;
+
+	if (!(y % 4) || (!(y % 100) && !(y % 400))) {
+		maxcookie += 86400;
+	}
+
 	zend_long v = (zend_long)atol(ZSTR_VAL(new_value));
 	if (v < 0 || v > maxcookie) {
 		php_error_docref(NULL, E_WARNING, "CookieLifetime must be between 0 and " ZEND_LONG_FMT, maxcookie);

ext/session/tests/session_get_cookie_params_basic.phpt

@@ -35,7 +35,7 @@ var_dump(session_get_cookie_params());
 echo "Done";
 ob_end_flush();
 ?>
---EXPECT--
+--EXPECTF--
 *** Testing session_get_cookie_params() : basic functionality ***
 array(6) {
   ["lifetime"]=>
@@ -66,18 +66,20 @@ array(6) {
   ["samesite"]=>
   string(0) ""
 }
-bool(true)
+
+Warning: session_set_cookie_params(): CookieLifetime must be between 0 and %d in %s on line %d
+bool(false)
 array(6) {
   ["lifetime"]=>
-  int(1234567890)
+  int(3600)
   ["path"]=>
-  string(5) "/guff"
+  string(5) "/path"
   ["domain"]=>
-  string(3) "foo"
+  string(4) "blah"
   ["secure"]=>
-  bool(true)
+  bool(false)
   ["httponly"]=>
-  bool(true)
+  bool(false)
   ["samesite"]=>
   string(0) ""
 }