Chrome 146 Introduces Device-Bound Session Credentials to Combat Cookie Theft

Google is shipping Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, a feature designed to neutralize session hijacking attacks that rely on stolen cookies. DBSC ties authentication sessions to the specific device’s hardware by leveraging the Trusted Platform Module (TPM) to generate a cryptographic key pair that cannot be exfiltrated. When a server opts into DBSC, Chrome periodically proves possession of the private key, rendering stolen session cookies useless on any other machine.

The move targets the growing ecosystem of infostealer malware that harvests browser cookies to bypass authentication entirely, including MFA. Rather than trying to prevent cookie theft outright, DBSC makes stolen cookies worthless by binding session validity to a hardware attestation that attackers cannot replicate remotely.

DBSC is rolling out as an opt-in protocol that websites must explicitly support. Google has been testing it with its own properties and is encouraging broader adoption across the web. The feature builds on earlier Chrome security investments like App-Bound Encryption and represents a meaningful architectural shift in how browser sessions can be protected at the platform level.