Problem with logging in WP users automatically

As an interim measure while migrating users to a new system I have devised a solution where when a user logs in the old system, they are forwarded to the new system and automatically logged in to their new account based on their user id.

The code on old system looks like this:

function client_redirect_select_users($user_login, $user) {
  $user_id = $user->ID;
  $redirect_user = get_user_meta($user_id, 'client_redirect_user', true);
  if (intval($redirect_user) == 1) :
    $redirect_user_id = get_user_meta($user_id, 'client_redirect_user_id', true);
    /* Construct fancy string to obscure user id */
    wp_redirect('http://sillysite.com/?user_redirect=".$redirect_user_string);
    exit();
  endif;
}
add_action("wp_login', 'client_redirect_select_users', 10, 2);

The code on new system looks as follows:

 function client_auto_login() {
  if (!is_user_logged_in()) :
    if (isset($_GET['user_redirect'])) :
      $user_login_string = intval($_GET['user_redirect']);
      /* Do some fancy stuff to extract user id from the GET string */
      $user_data = get_userdata($decrypted_user_id);
      if ($user_data) :
        $user_login = $user_data->user_login;
        wp_set_current_user($user_id, $user_login);
        wp_set_auth_cookie($user_id, true);
        do_action('wp_login', $user_login);
      endif;
    endif;
  endif;
}

add_action('init', 'client_auto_login');

The user is logged in correctly and can see their data. But when they click on any link on the page they are logged out again. Why? 🙁
Is there a better way to do this? I COULD send the user password from the old system as well (with some trivial encryption ofc) and use wp_signon() instead, but I’d rather not.

Help?

(I am 110% aware that this is not a secure solution AT ALL, but it is an interim measure for a few weeks while we get the new system up and running in it’s entirety, and the users are not technical at all so we are trying to make it as painless as possible for them. It is also not immediately obvious how to gain access to any account simply by looking at the user login string or even supplying a random user id, although the mechanism can be guessed with some effort).

In the end, wp_signon() was the solution, as the cookie was apparently not set with the code I was using.
I followed this solution
https://gist.github.com/iandunn/8162246
to circumvent a need for password and added these functions to functions.php.

I also moved the autologin code from ‘init’ to template where it executes before any headers are sent or any html is output (above wp_head() ).

So now it looks like this:

if (!is_user_logged_in()) :
    if (isset($_GET['user_redirect'])) :
    $user_login_string = intval($_GET['user_redirect']);
    /* Fancy user id retrieval stuff */ 
    $user_data = get_userdata($decrypted_user_id);
    if ($user_data) :
      $user_login = $user_data->user_login;
      $loggedin = programmatic_login( $user_login ); // <--- Gist function
      if ($loggedin) :
        wp_redirect('/userpage');
        exit();
      endif;
    endif;
  else :
    wp_redirect(wp_login_url());
    exit;
  endif;
endif;

And it works, wie, yay, happy dance.