Device Bound Session Credentials in Chrome | Blog | Chrome for Developers

Origin trial: Device Bound Session Credentials in Chrome

Stay organized with collections

Save and categorize content based on your preferences.

Device Bound Session Credentials (DBSC) is a new web capability designed to
protect user sessions from cookie theft and session hijacking. This feature is
now available for testing as an Origin Trial in Chrome 135.

Background

Cookies play a crucial role in modern web authentication, allowing users to stay
logged in across browsing sessions. However, attackers increasingly exploit
stolen authentication cookies to hijack sessions, bypassing multi-factor
authentication and other login security mechanisms.

Malware operators often exfiltrate session cookies from compromised devices,
enabling unauthorized access to user accounts. Since cookies are bearer tokens,
they grant access without requiring proof of possession—making them a lucrative
target for attackers.

Device Bound Session Credentials (DBSC) aims to disrupt cookie theft by creating
an authenticated session that is bound to a device. This approach mitigates the
chance that exfiltrated cookies can access accounts from another device.

How it works

DBSC introduces a new API that allows servers to create an authenticated session
that is bound to a device. When a session is initiated, the browser generates a
public-private key pair, storing the private key securely using hardware-backed
storage such as a Trusted Platform Module (TPM) when available.

The browser then issues a regular session cookie. During the session lifetime,
the browser periodically proves possession of the private key and refreshes the
session cookie. The cookie’s lifetime can be set short enough so that stealing
the cookie won’t be a benefit for attackers.

Key components

One benefit of this approach is that Chrome defers requests that would otherwise
be missing the refreshed short-lived cookie. This behavior keeps session-bound
cookies consistently available throughout the session and allows developers to
rely on them more confidently than with approaches where cookies might expire or
disappear without automatic renewal.

Example implementation

A server can request a device-bound session like this:

HTTP/1.1 200 OK
Sec-Session-Registration: (ES256);path="/refresh";challenge="12345"

When the session is active, the server can verify it with a challenge-response
exchange:

HTTP/1.1 401 Unauthorized
Sec-Session-Challenge: "verify-session"

The browser responds with:

POST /refresh
Sec-Session-Response: "signed-proof"

Benefits

Mitigates cookie theft: Even if session cookies are stolen, they
cannot be used from another device.
Enhances security without major UX changes: Works transparently in
the background without requiring additional user interaction.
Reduces reliance on long-lived session cookies: Short-lived cookies
are automatically refreshed as long as the session remains valid on the
original device.
Supports standard cryptographic mechanisms: Leverages TPM-backed
secure storage when available, providing strong protection against exfiltration.

Privacy and security considerations

DBSC is designed to enhance security while preserving user privacy:

No additional tracking vectors: Each session is associated with a
unique key pair, preventing cross-session tracking.
No long-term device fingerprinting: Servers cannot correlate
different sessions on the same device unless explicitly allowed by the user.
Clearable by users: Sessions and keys are deleted when the user
clears site data.
Aligned with cookie policies: DBSC follows the same site-based
scoping as cookies, ensuring it does not introduce cross-origin data leaks.

Try it out

The Device Bound Session Credentials Origin Trial is available from Chrome 135.

For local testing

To test DBSC locally:

Go to chrome://flags#device-bound-session-credentials and enable the
feature.

For public testing

To test DBSC with the origin trial in a public environment:

Visit the
Chrome Origin Trials page
and sign up.
Add the provided token to your site’s HTTP headers:
```
Origin-Trial: 
```

Resources

Get involved and shape the future of web security

Join us in making web authentication more secure! We encourage web developers to
test DBSC, integrate it into their applications, and share feedback. You can
engage with us on GitHub or
participate in discussions with the Web Application Security Working Group.

By implementing DBSC, we can collectively reduce session hijacking risks and
enhance authentication security for users. Get started today and help define the
future of web security!

3D printing 3D scanning 5G 6G Adaptive learning AI AI ethics AI governance AI-driven automation AI-driven chatbots AI-driven healthcare AR/VR (Augmented and Virtual Reality)Artificial intelligence Augmented reality Automation Autonomous drones Autonomous vehicles Big data Bioinformatics Biometric security Blockchain Blockchain security Blockchain-as-a-Service Chatbots Cloud computing Cloud infrastructure Cloud security Cloud-native applications Cognitive computing Cryptocurrency Cyber defense Cyber-physical systems Cybersecurity Cybersecurity frameworks Data analytics Data governance Data lakes Data mining Data privacy Deep learning DevOps Digital currency Digital ecosystems Digital payments Digital transformation Digital twins Digital wallets Drones Edge AI Edge computing eSIM technology Fintech Fintech innovation Geospatial analytics Gig economy platforms Green technology Human augmentation Hybrid cloud Hyperautomation Image recognition Intelligent apps Internet of Behaviors (IoB)IoT (Internet of Things)IT operations IT security Machine learning Metaverse Microservices Mobile app development Multi-cloud environments Multi-factor authentication Natural language processing Neural networks Open-source software Predictive analytics Privacy-enhancing technologies Quantum computing Quantum encryption Quantum sensors Renewable energy storage Renewable energy tech Robotics Robotics process automation (RPA)SaaS (Software as a Service)Self-driving cars Serverless computing Smart cities Smart contracts Smart devices Smart grids Smart homes Supply chain tech Tech sustainability Video streaming Virtual assistants Virtual reality Voice recognition Wearable health tech Wearable technology Zero-trust security