I am a little confused why you pass along the session id? And also why some people recommend you need to pass along a cookie manually?
By default neither of those are needed, as the cookie (which usally contain the session id, unless disabled on the server) is passed along on every web request if its set on that location on the server.
The issue is caused by the session handler/system. You mentioned its stored in the database, how does your session handler look and how is it called?
If you have not tried it yet, revert back to the filebased session system just to test if it works as expected then.
If it works then, its possible you might need to register a shutdown method for the session handler or there is a issue/bug in the session handler.
Note, you also might want to validate the data to assure its something you expect. I.e. is it a valid product, is the product available etc etc. As the way it is now, I can easily order products that are for example no longer available. This could again get you into a pickle if you display a confirmation page and charge the CC at once, as you have entered a legal agreement to deliver said product.
You can change the Session data even after the headers has been sent. If your not able to do this, its most probably an issue with your script. Keep in mind that depending on your session handeling you sometimes need to register the shutdown method.