Issues with multiple sessions being stored for the same user

Question

I am having issues whereby the same user is generating two session files. I started to log these in the database so I could see what was going on. I am curious to know whether this stems from setting sessions in a class or whether there is some programing faux pas behind this. Below are both sessions from my computer generated within a minute of each other:

session_id  session_data
kfmj13vi5o538mvi57at8th0n2  useradd|s:10:"xx.xx.62.69";redirect|s:10:"/index.php";
3bb0fkisndf3u0o1l3195iclh2  UID|s:1:"1";USERNAME|s:9:"kalpaitch";

Sometimes (not always) when a user logs in, the class responsible for adding the 'UID' and 'USERNAME' to the session seems to create a new session entirely (as above) and therefore the page does not register the user as having logged in.

This is a script someone else wrote, with the following path => loginform.php posts to validate.php which calls the method below.

function validateUser($username,$password, $redirect){
        $password=md5($password);
        if(get_magic_quotes_gpc()){
            $username = stripslashes($username);
            $password = stripslashes($password);
        }       

        $sql = "SELECT id,username,password FROM users WHERE username='" . mysql_real_escape_string($username) . "' AND password='" . mysql_real_escape_string($password) . "' AND status='1' and verified=1"; 

        $result=mysql_query($sql);
        $row = mysql_fetch_array($result);

        if ($row["id"]){
            session_start();
             $_SESSION["UID"] = $row["id"];
             $_SESSION["USERNAME"]=$row["username"];
             header("location: http://www.xxx.com".$redirect);
        }else{
            unset($_SESSION["UID"]);
            unset($_SESSION["USERNAME"]);

            $sql = "select id,username,password from user where username='" . mysql_real_escape_string($username) . "' and password='" . mysql_real_escape_string($password) . "' and status='1' and verified=0"; 
            $result=mysql_query($sql);
            $row = mysql_fetch_array($result);
            if ($row["id"]){
                $_SESSION['login'] = 'Verify your account by email';
                header("location: http://www.xxx.com".$redirect);
            }else{
                $_SESSION['login'] = 'Incorrect username or password';
                header("location: http://www.xxx.com".$redirect);
            }
        }
    }

Answer 1

Very probably this has to do with either session cookie settings, cookie-path for instance, or cookie-domain, especially when you're alternating between a www.domain.tld and a plain domain.tld site; or a session_regenerate_id() call after login (which is actually a good idea, as it avoids session-fixation).