ACS "Failed to Authenticate User" Even Though User's Logged In

I'm trying to program a tool in PHP that allows a user to manage custom objects in ACS. When I try to create a custom object, I get this response.

{"meta":{"status":"fail","code":404,"message":"Failed to authenticate user"}}

OK, so I get it. There's no user logged in. I'm not sure how this could be, however. When a user first accesses the tool, they do login. I'm wondering if it's my PHP login script and how it writes cookies. I also use session variables to write some global variables for my tool's usage.

<?php
session_start();
include('globals.php');
 
$url = $acsEndpoint . "/users/login.json" . "?key=" . $acsKey;
 
$curl = curl_init($url); 
curl_setopt($curl, CURLOPT_POST, true); 
curl_setopt($curl, CURLOPT_HEADER, false);
curl_setopt($curl, CURLOPT_COOKIEFILE, "cookie.txt"); 
curl_setopt($curl, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); 
curl_setopt($curl, CURLOPT_POSTFIELDS, 'login='.$_POST["username"].'&password='.$_POST["password"]); 
 
$response = curl_exec( $curl ); 
curl_close( $curl );  
$arrResponse = json_decode($response, true);
 
if($arrResponse["meta"]["status"] == "ok") {
    $_SESSION['userId'] = $arrResponse["response"]["users"][0]["id"];
    $_SESSION['sessionId'] = $arrResponse["meta"]["session_id"];
    $_SESSION['userName'] = $arrResponse["response"]["users"][0]["first_name"]." " .$arrResponse["response"]["users"][0]["last_name"];
}
 
echo $response;
?>

This is the script for writing the object.

<?php
session_start();
 
include 'globals.php';
 
if($_POST["type"] == "quote") {
    $fields = array(
        'content' => $_POST["quoteContent"],
        'author' => $_POST["quoteAuthor"],
        'source' => $_POST["quoteSource"],
        'isApproved' => true
    );
}
 
$jsonFields = json_encode($fields);
 
$url = $acsEndpoint . "/objects/". $_POST["type"] . "/create.json?key=" . $acsKey;
 
$curl = curl_init($url); 
curl_setopt($curl, CURLOPT_POST, true); 
curl_setopt($curl, CURLOPT_HEADER, false); 
curl_setopt($curl, CURLOPT_COOKIEFILE, "cookie.txt"); 
curl_setopt($curl, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); 
curl_setopt($curl, CURLOPT_POSTFIELDS,  '&fields=' . $jsonFields ); 
 
$response = curl_exec( $curl ); 
curl_close( $curl );  
 
echo $response;
?>

The globals.php file simply has some variables like the ACS keys.

Are there any suggestions of how to authenticate a user successfully so a cookie writes and can therefore write objects? Thanks!