I think it's because you set an anonymous hash as the value for the cookie. Apache2::Cookie expects a string for the '-value'. So either you send two cookies, one holds the username and another one holds the MAC, or you serialize it with Storable::freeze when sending it and deserialize it when getting it with Storable::thaw.

However, I would just join them with comma when sending, and split them when receiving.

On debugging: use the good old 'warn' and 'Data::Dumper::Dumper' combination, printing everything to the apache error log. If you don't have access to the log, just print them to the browser.