From now on, session cookies in Chrome will be linked to the device on which they were created, making them less easy for hackers to use.
Google is rolling out a new security feature in Chrome that makes stolen session cookies less useful for cybercriminals. With Device Bound Session Credentials (DBSC), logged-in sessions are cryptographically linked to the device on which they were created.
Session cookies have been a popular target for attackers for years. Anyone who can steal such a cookie can often impersonate an already logged-in user without having to go through password or multi-factor authentication again. This makes session hijacking an efficient method for account takeovers.
Hardware as an extra layer of security
DBSC aims to address this problem by linking sessions to hardware. On Windows, Chrome uses the Trusted Platform Module (TPM) for this, while macOS devices use the Secure Enclave.
When a user logs in, Chrome creates a session cookie as well as a cryptographic key pair. The session therefore remains linked to that unique hardware. An attacker who only steals the cookie will not have the necessary keys to misuse the session. According to Google, this makes it harder to use stolen sessions for account takeovers.
Automatically activated
Google already announced DBSC in 2024 and has begun its broad rollout. The feature is enabled automatically and cannot be disabled. No administrative actions are required for Google Workspace customers.
To use DBSC, systems must run at least Chrome 146 on Windows or Chrome 148 on macOS. In addition, compatible hardware is required, including TPM on Windows systems and Secure Enclave on Macs.
Protection against a growing threat
The measure comes at a time when malware that steals browser data is being deployed more frequently. Such malware collects session cookies, among other things, allowing attackers to take over existing login sessions without knowing the login credentials.
DBSC makes this attack vector less attractive, although Google emphasizes that users must remain vigilant. The new security protects against the misuse of stolen cookies, but does not prevent malware from capturing other sensitive data.