ext/session: fix cookie_lifetime overflow causing INI value desync

jorgsowa · jorgsowa · commit 29eb82220cec · 2026-04-10T09:32:43.000+02:00
When session.cookie_lifetime was set to a value larger than maxcookie,
OnUpdateCookieLifetime returned SUCCESS without updating the internal
long value, causing ini_get() string and PS(cookie_lifetime) to go
out of sync.

Now the value is properly clamped to maxcookie with both the string
and internal long updated consistently, and a warning is emitted.
diff --git a/ext/session/session.c b/ext/session/session.c
@@ -711,6 +711,10 @@ static PHP_INI_MH(OnUpdateCookieLifetime)
 		php_error_docref(NULL, E_WARNING, "CookieLifetime cannot be negative");
 		return FAILURE;
 	} else if (v > maxcookie) {
+		php_error_docref(NULL, E_WARNING, "CookieLifetime value too large, value was set to the maximum of " ZEND_LONG_FMT, maxcookie);
+		zend_long *p = ZEND_INI_GET_ADDR();
+		*p = maxcookie;
+		entry->value = zend_long_to_str(maxcookie);
 		return SUCCESS;
 	}
 
diff --git a/ext/session/tests/gh16290.phpt b/ext/session/tests/gh16290.phpt
@@ -6,8 +6,11 @@ session
 <?php include('skipif.inc'); ?>
 --FILE--
 <?php
+ob_start();
 session_set_cookie_params(PHP_INT_MAX, '/', null, false, true);
 echo "DONE";
+ob_end_flush();
 ?>
---EXPECT--
+--EXPECTF--
+Warning: session_set_cookie_params(): CookieLifetime value too large, value was set to the maximum of %d in %s on line %d
 DONE
diff --git a/ext/session/tests/session_cookie_lifetime_overflow.phpt b/ext/session/tests/session_cookie_lifetime_overflow.phpt
@@ -0,0 +1,34 @@
+--TEST--
+session.cookie_lifetime overflow value is clamped
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+ob_start();
+
+// Set a valid value first
+ini_set("session.cookie_lifetime", 100);
+var_dump(ini_get("session.cookie_lifetime"));
+
+// Set an overflow value - should succeed with warning, value clamped
+ini_set("session.cookie_lifetime", PHP_INT_MAX);
+$val = (int) ini_get("session.cookie_lifetime");
+var_dump($val < PHP_INT_MAX); // clamped, not PHP_INT_MAX
+var_dump($val > 0); // positive
+
+// Valid values still work after clamping
+ini_set("session.cookie_lifetime", 200);
+var_dump(ini_get("session.cookie_lifetime"));
+
+ob_end_flush();
+?>
+--EXPECTF--
+string(3) "100"
+
+Warning: ini_set(): CookieLifetime value too large, value was set to the maximum of %d in %s on line %d
+bool(true)
+bool(true)
+string(3) "200"
