Chrome strengthens session security

In Google Chrome, a new technology called Device-Bound Session Credentials (DBSC) has been introduced to protect user sessions from hijacking.

With DBSC, instead of relying solely on cookies, the browser binds a session to a specific device. When a user logs in, Google Chrome generates a cryptographic key pair, and the private key is stored in secure hardware on the device, such as a Trusted Platform Module (TPM).

The session is then built around short-lived cookies. When a cookie expires, the browser must prove to the server that it still possesses the private key. Only after this verification is the session renewed. As a result, even if a cookie is stolen, it cannot be reused on another device, since the attacker will not have access to the required key.

Cookie theft remains one of the most effective ways to bypass security, especially for infostealers. Such attacks can even bypass multi-factor authentication, since the session is already considered trusted. DBSC significantly reduces the practical value of stolen cookies.

⚠️ Limitations

Despite its advantages, the technology is not a complete solution. If the device is already compromised, for example by malware present during registration, it may be possible to extract the key. However, such attacks are significantly more complex and more detectable than traditional cookie theft.

DBSC also requires server-side support. It is not just a browser setting, but a change in the authentication logic.

💬 Discuss