The bm_sz cookie is a cookie deployed as part of Akamai’s anti-fraud protection system. Its role is to help distinguish between real human users and automated scripts or bots by storing cryptographic or behavioral state that Akamai can reference on future visits.

It is designed to last only a few hours (commonly around 4 hours) before it expires or is refreshed. Because it holds part of the verification state, Akamai doesn’t need to fully re-challenge or re-compute all fingerprint data each time – the cookie aids in keeping validation more efficient across requests.

How does it work?

• When you first go to an Akamai-protected site, you don’t yet have a bm_sz cookie. So, Akamai uses a default hash (for example 8888888) to encrypt a small package of data called sensor_data. Once the site accepts that, it gives you a bm_sz cookie to store.
• Later, your browser sends that bm_sz cookie on every request. From that cookie, Akamai pulls out a “cookie hash”.
• It also gets a “file hash” from the site’s JavaScript code. These two hashes act like secret keys: Akamai uses them to scramble and descramble (encrypt and decrypt) the sensor_data payload. If everything checks out, it accepts your request.
• As long as the cookie remains valid and intact, Akamai doesn’t need to do the full check again and can just verify using those two hashes.
• If the cookie is missing, broken, or changed, the system goes back to using the default logic (full checks) to decide if the request is valid.

Kameleo Relevance

Tools like Kameleo are designed to simulate natural browsing – they align browser fingerprints, preserve and present cookies and session state, and reproduce human-like behavior so those Akamai cookies are less likely to mark the session as automated.

This makes it possible to interact with Akamai-protected sites in a controlled, human-like way for testing and research purposes.