And you still haven't used strict. Why is that?

Just because you fix one bug it does not mean that your code is now bug-free nor does it mean that your algorithm has been correctly coded. You said:

The problem is, I can't remove the cookie using $session->delete() and $session->flush() when I try to log out.

How do you expect either of those methods to delete a cookie from the jar when you are printing the response headers by hand? That's not going to happen. Either look in the code and/or the documentation and determine how you can delete a cookie using the module methods or else do it yourself in the headers if that's the way you prefer.

Or alternatively, just don't worry that a browser still has a cookie for a now-deleted session because it's not like they can do anything with it.

Either way, at least you are now deleting the session which you were not before.