IMVU robot trick – Cookie!

IMVU robot trick – Cookie!

Perhaps you want to write a program or script that emulates a web browser that targets the IMVU web site or API’s. IMVU want to make sure you’re logged in as a valid avatar, so it can decide whether to show AP content, or anything at all.  The way the IMVU web server checks to see if you’re logged in is by the cookies it drops in your browser.  But if you’re just coding up a robot, you don’t have the cookies, so no content for you!

Fortunately, all of the logon magic IMVU expects is rolled into a single cookie named osCsid, with a value containing 26 characters ranging from a-z and 0-9. It’s pretty secure, because the odds of stumbling upon a correct osCsid is like 3 followed by 40 zeros, basically too astronomical to brute force.  But you can find your own osCsid cookie value by looking in your browser.  In your own code, you can set that cookie in your HTTP client (for example PHP, C#, Perl, etc.), making sure the domain of the cookies is * (because you want it to work for all the subdomains of, and with just this one osCsid cookie, IMVU will gladly respond with the information you need.

Now it’s up to YOU to decode the HTML or JSON you get back. Some of IMVU’s JSON APIs are clean, others are filthy, and it’s always a mess to scrape HTML, face it.  But if you want make an omelet, you have to break a few eggs, and I just handed you the frying pan. 😀

Also, the nice thing about osCsid is that it never seems to change for any one avatar. I can log into the web site as an alt, log back in as my usual avatar, and the osCsid goes back to what it was before.  It’s basically some kind of hash of your avatar name and password, so giving out YOUR osCsid is a pretty bad idea, as you can imagine.

Leave a reply