Cookie set twice within single request

Hello, I've found qute a few posts about similiar issues, but in my case the same cookie gets set twice in the same request.

// services.php
$dispatcher->getEventsManager()->attach('dispatch:beforeDispatch', new Auth);
class Auth extends Plugin {
    static $_count = 0;
    public function beforeDispatch(Event $event, Dispatcher $dispatcher) {
            self::$_count++;
            if(self::$_count>1) {
                // check if by any chance the event gets called twice (never reaches this branch)
                die('auth event called twice!');
            }
            $userCookie = $this->cookies->get(self::USER_COOKIE)->getValue('string');
            if(!$userCookie) {
                // whatever token generation
                $userCookie = sha1(microtime(true) . $this->security->getSaltBytes(6));
                // save this token token db for later reference
                $userSession->setToken($userCookie);
                // push token to client as cookie
                $this->cookies->set(self::USER_COOKIE, $userCookie, time() + (60 * 60 * 24 * 365));
            }
    }
}

If I then check the response with curl, i get these headers:

Server: nginx/1.10.0
Date: Wed, 26 Oct 2016 13:41:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Set-Cookie: PHPSESSID=<whatever>; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: travelhood_user=i%2FCTdf5f66LVdFdirWHUlyycquVT8bTNa5tbuMFjHRUHqabdQYNq310BpCuhcMP33%2B0IhnpBuWwJmFAxsDYiJ8vrxRgZdA2KXagWV%2FDPME8Lu2hsf10w%2FQGc%2FkQtzsUn; expires=Sat, 24-Oct-2026 13:41:26 GMT; Max-Age=315359999; path=/; domain=my.domain.com
Set-Cookie: travelhood_user=JB%2F%2BcpIO3h0PfjBrqLoURQyxcHSF0siff9XqsWpOVbB6V8epb0Zv3LBNaOV9%2Bw3Rlb6%2FQASOlQqjdqt1RQIwS2814d3T0c31erQbiV56vsvEQskH5YGORDghx4jG%2FU4w; expires=Sat, 24-Oct-2026 13:41:26 GMT; Max-Age=315359999; path=/; domain=my.domain.com

As you can see there's an if statement with a static counter to check if the event itself is called twice, but it never enters that branch... I've been trying to debug this for nigh a day, any idea is most welcome at this point :D

  • ubuntu xenial
  • php 5.6
  • phalcon 2.0.13
  • chrome @ win7

EDIT: I also use encryption for cookies, although I dont think it has anything to do with this issue...

edited Oct '16

What exactly is userSession ? Maybe you are just doing somewhere further like in action or anywhere ->sendCookies ? Or send ?