Forgive me if I'm misunderstanding, but you seem to be trying to untaint and semi-validate the cookie at once. Try untainting (and ignoring what is in the cookie) then validate it against a list of known cookies or (as you're trying to do now) a "syntax".

I agree with the others about cookie content, too. Use hex or something easier to deal with than base64. I think base64 is a bit of overkill for what you seem to be doing.

traveler