Protecting Session Credentials: A New Approach by Google Chrome

Vaibhav April 10, 2026
Protecting-Session-Credentials-A-New-Approach-by-Google-Chrome
Post Views: 12

Google Develops New Protocol to Counter Cookie Theft

Google has introduced a novel approach called Device Bound Session Credentials (DBSC) to combat the widespread issue of cookie theft.

  • The Problem of Cookie Theft

  • Cookie theft follows a predictable pattern. Malware infects a device, extracts authentication cookies, and exfiltrates them to an attacker-controlled server. Since cookies often have extended lifetimes, attackers can access accounts without needing passwords, and then sell the stolen credentials on the black market.

  • By gaining access to a machine, malware can easily read local files and memory where browsers store authentication cookies.

  • How DBSC Works

  • DBSC uses hardware-backed security modules, such as the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS, to generate a unique public-private key pair per device.

  • When a session is active, the browser must prove possession of the corresponding private key to the server before issuing new session cookies.

  • These cookies are designed to be short-lived, expiring quickly if an attacker attempts to reuse them without the private key.

  • Benefits of DBSC

  • This protocol allows both large and small websites to seamlessly integrate secure, hardware-bound sessions into their systems by adding dedicated registration and refresh endpoints to their backends.

  • The browser handles the complex cryptography and cookie rotation behind the scenes, allowing the web application to continue using standard cookies for access as usual.

According to Google, this protocol has been developed through the W3C process and adopted by the Web Application Security Working Group.

  • Industry Involvement and Future Development

  • DBSC was developed through the W3C process and adopted by the Web Application Security Working Group.

  • Google collaborated with Microsoft on the standard’s design and conducted two Origin Trials over the past year to gather feedback from the broader web community.

  • Okta contributed feedback on whether the protocol meets their operational requirements.

According to Google, they will focus on building cross-origin bindings for enterprises using Single Sign-On, developing mechanisms to bind DBSC sessions to pre-existing trusted key material, and exploring software-based keys to extend protections to devices lacking dedicated secure hardware.



About Author

Vaibhav

See author's posts

More Stories

FleetWave-Experiences-Major-Outage-Following-Cybersecurity-Breach

FleetWave Experiences Major Outage Following Cybersecurity Breach

Vaibhav April 10, 2026
Adobe-Reader-Zero-Day-Exploit-Used-in-Months-Long-Cyber-Attack-Campaign

Adobe Reader Zero-Day Exploit Used in Months-Long Cyber Attack Campaign

Vaibhav April 10, 2026
Operation-CyHawk-4-0-Investigation-Uncovers-Additional-Suspects-in-Delhi-Scam

Operation CyHawk 4.0 Investigation Uncovers Additional Suspects in Delhi Scam

Vaibhav April 10, 2026

Latest Cyber Security News

FleetWave-Experiences-Major-Outage-Following-Cybersecurity-Breach

FleetWave Experiences Major Outage Following Cybersecurity Breach

Vaibhav April 10, 2026
AWS-Introduces-Agent-Registry-for-Enhanced-Control-over-AI-Agents

AWS Introduces Agent Registry for Enhanced Control over AI Agents

Vaibhav April 10, 2026
Bitcoin-Depot-Experiences-Significant-Loss-Following-System-Breach

Bitcoin Depot Experiences Significant Loss Following System Breach

Vaibhav April 10, 2026
Adobe-Reader-Zero-Day-Exploit-Used-in-Months-Long-Cyber-Attack-Campaign

Adobe Reader Zero-Day Exploit Used in Months-Long Cyber Attack Campaign

Vaibhav April 10, 2026
Operation-CyHawk-4-0-Investigation-Uncovers-Additional-Suspects-in-Delhi-Scam

Operation CyHawk 4.0 Investigation Uncovers Additional Suspects in Delhi Scam

Vaibhav April 10, 2026
en_USEnglish
en_USEnglish