Google Chrome adds session cookie theft protection for all users
Google has announced that Chrome's Device Bound Session Credentials (DBSC) feature is now generally available and rolling out to all users. DBSC binds session cookies to the device, making stolen cookies useless for attackers. This prevents account takeovers even if malware exfiltrates cookies, as the credentials cannot be reused on another device. The feature addresses a common attack vector where session cookies are stolen after authentication, bypassing MFA. Google has been testing DBSC since 2024 and is now enabling it by default for all Chrome users. The rollout is gradual, with full availability expected in the coming weeks. No user action is required, but developers may need to update their sites to support the new binding mechanism.
Developers must ensure their sites support DBSC to maintain session security for Chrome users.