The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.


Apache::AuthCookieNTLM - NTLM (Windows domain) authentication with cookies


'WhatEver' should be replaced with the AuthName you choose for this location's authentication.

    <Location />
        PerlAuthenHandler Apache::AuthCookieNTLM

        # NTLM CONFIG
        AuthType ntlm,basic
        AuthName WhatEver
        require valid-user

        #                   domain          pdc               bdc
        PerlAddVar ntdomain "name_domain1   name_of_pdc1"
        PerlAddVar ntdomain "other_domain   pdc_for_domain    bdc_for_domain"

        PerlSetVar defaultdomain default_domain
        PerlSetVar ntlmdebug 1

        # COOKIE CONFIG - all are optional and have defaults
        PerlSetVar WhatEverName cookie_name
        PerlSetVar WhatEverExpires +5h
        PerlSetVar WhatEverPath /
        PerlSetVar WhatEverDomain
        PerlSetVar WhatEverSecure 1


As explained in the Apache::AuthenNTLM module, depending on the user's config, IE will supply your Windows logon credentials to the web server when the server asks for NTLM authentication. This saves the user typing in their windows login and password.

Apache::AuthCookieNTLM is an interface to Shannon Peevey's Apache::AuthenNTLM module. This modules authenticates a user using their Windows login against the Windows PDC, but to also stores their login name into a cookie. This means that it can be accessed from other pages and stops the system having to authenticate for every request.

We did consider using Apache::AuthCookie to store the details in a cookie but since using NTLM is basicaly there to remove the need to login and is almost exclusively for intranets (as it needs access to the PDC), we decided it was feasible not to use it.


Please consult the Apache::AuthenNTLM documentation for more details on the NTLM configuration.

'WhatEver' should be replaced with the AuthName you choose for this location's authentication.

PerlSetVar WhatEverName

Sets the cookie name. This will default to Apache::AuthCookieNTLM_WhatEver.

PerlSetVar WhatEverExpires

Sets the cookie expiry time. This defaults to being a session only cookie.

PerlSetVar WhatEverPath

Sets the path that can retrieve the cookie. The default is /.

PerlSetVar WhatEverDomain

Defaults to current server name, set to what ever domain you wish to be able to access the cookie.

PerlSetVar WhatEverSecure

Not set as default, set to 1 if you wish for cookies to only be returned to a secure (https) server.

PerlSetVar ntlmdebug

Setting this value means debugging information is shown in the apache error log, this value is also used for Apache::AuthenNTLM. Default to 0, set to 1 or 2 for more debugging info.


The method can be overwritten to set the values stored in the cookie

Example for overriding

This is an example of how to set your cookie values with whatever data you want.

  package MYAuthenNTLM;

  use Apache::AuthCookieNTLM;   
  use base ( 'Apache::AuthCookieNTLM' );
  use MyUserLookup_Package;
  sub choose_cookie_values {
    my ($self,$r) = @_;
    # Save if it's not already set
    if ($self->check_cookie()) {
                # Look up against other sources
            my $person = MyUserLookup_Package->new($self->{'username'});

            'email'     => $person->email(),
            'shoe_size' => $person->shoe_size(),

'username' and 'userdomain' are set automatically, though you can override them, they are used to set the REMOTE_USER value.


First test Apache::AuthenNTLM directly without this module.

NTLM Authentication

If you get prompted for a login / passwd / domain IE probably isn't sending the NTLM information. Ensure that IE sees the server as a 'trusted' intranet site (and therefor sends the username). You should be able to set this as a policy across your network, or on each machine:

'Tools' -> 'Internet Options' -> 'Security' -> 'Local Intranet' -> 'Sites' -> 'Advanced' and add it in there, this must start with http:// or https://

Once this is working you should be able to just replace

  PerlAuthenHandler Apache::AuthenNTLM


  PerlAuthenHandler Apache::AuthCookieNTLM

And have it all just work[tm].

Remember to quit IE and reload as it's crap at implementing changes on the fly!

Not setting cookies

IE doesn't seem to alert you (if you've turned prompt on for cookies). We guess it's because its from the trusted site.

Also check your using the right domain, as can be seen when you turn debug on.

access to /test failed in error log - but it works

Because Apache::AuthenNTLM has to go through several loops the first of which will fail, this will be reported in your error log, but you can just ignore it.


Apache::AuthenNTLM, Apache::Cookie, CGI::Cookie


Leo Lapworth <>, Francoise Dehinbo