All Windows users of Google's Chrome web browser can now use Device Bound Session Credentials (DBSC) This article explores session cookies attackers. . Right now, the feature only works for people who have Chrome version 146 installed on Windows and macOS.
It will be available to more people in future Chrome versions. Session theft is when someone secretly takes session cookies from a web browser, either by collecting existing ones or by waiting for a user to log into an account on their behalf. Google came up with DBSC in April 2024 to help with this problem. It does this by cryptographically linking authentication sessions to certain devices.
The goal is to make cookies useless, even if malware steals them, by using hardware-backed security modules like the Trusted Platform Module (TPM) on Windows or the Secure Enclave on macOS.
Chrome must show the server that it has the right private key before it can issue new short-lived session cookies. Attackers can't steal this key, so any cookies they get rid of quickly expire and are no longer useful to them. DBSc will gracefully go back to its normal behavior if a user's device doesn't support secure key storage, as Google said in its developer documentation.
This won't interrupt the authentication flow. Google is working with Microsoft to make the architecture more private and to make it an open web protocol. They do this by using a different key approach that makes sure websites can't connect user activities across different sessions or sites on the same device.
The protocol is designed to be efficient by not sending device identifiers or attestation data to the servers unless it is necessary for session public key verification.
