Posts: 16,272
Threads: 10,307
Thanks Received: 9,367 in 7,513 posts
Thanks Given: 10,347
Joined: 12 September 18
10 April 26, 06:54
Quote:Google has introduced Device Bound Session Credentials in Chrome 146 for Windows. This security feature cryptographically ties session cookies to a device's hardware, making it impossible for stolen cookies to be used on a different machine.
Support for macOS has not been announced. The feature was first announced in 2024 and was developed in partnership with Microsoft as an open web standard.
How DBSC Works in Chrome 146 on Windows
![[Image: Screenshot-2026-04-09-at-10.11.22-AM-scaled.png]](https://www.ghacks.net/wp-content/uploads/2026/04/Screenshot-2026-04-09-at-10.11.22-AM-scaled.png)
DBSC links a user's browser session to the device's security hardware, which is the Trusted Platform Module on Windows and the Secure Enclave on macOS. During session creation, the security chip generates a unique pair of public and private keys.
Since the private key can’t be exported from the device, any session cookie stolen by malware becomes useless elsewhere. Short-lived session cookies are only issued when Chrome can prove to the server that it possesses the corresponding private key. Without this proof, exfiltrated cookies will expire and cannot be used to authenticate the attacker to the target service.
Continue Reading...
Google Chrome 146 Adds Device Bound Session Credentials to Stop Session Cookie Theft
![[-]](https://www.geeks.fyi/images/collapse.png "[-]")
