Chrome Binds Cookies to Devices

Web logins usually work like coat-check tickets: if someone steals the ticket, they can claim the coat. In Chrome 146, Google started adding a second check that ties some sessions to the physical device that created them. (security.googleblog.com) Google said on April 9 that Device Bound Session Credentials are entering public availability for Windows users in Chrome 146. The company said macOS support is coming in a future Chrome release. (security.googleblog.com) The underlying problem is session hijacking, better known as cookie theft. A site gives your browser a session cookie after you sign in, and malware that steals that cookie can often reuse it on another machine without needing your password or two-factor code. (developer.chrome.com ) (blog.chromium.org) Device Bound Session Credentials change that by adding a hardware-backed key pair, which works like a lock and matching key stored in the computer’s secure chip. On Windows, Chrome uses the Trusted Platform Module so the private key stays on the device and cannot be exported with the cookie. (security.googleblog.com) (developer.chrome.com) When a website adopts the system, Chrome proves to the site that the device still holds the private key before refreshing or continuing the session. Google said a stolen cookie copied to a different computer should then fail that proof check and become far less useful to an attacker. (developer.chrome.com) (security.googleblog.com) Google first announced the project in April 2024 as a prototype and said it was being developed in the open as a proposed web standard. The current draft is published through the Web Application Security Working Group process at the World Wide Web Consortium’s GitHub pages. (blog.chromium.org) (w3c.github.io) This is not a browser-only switch that protects every site overnight. Chrome’s developer documentation says websites have to change their login flows, add a registration endpoint, and add a refresh endpoint to bind sessions to devices. (developer.chrome.com) Google is also pitching the feature to administrators who run company accounts. In updated Workspace documentation, Google says admins can use session binding in beta to reduce session hijacking for managed users. (support.google.com) The immediate target is the infostealer malware economy, which has turned stolen browser cookies into a shortcut around passwords and some two-factor protections. Chrome’s new model does not stop malware from running on an infected computer, but it does aim to stop that malware from turning one copied cookie into a login on some other machine. (security.googleblog.com) (developer.chrome.com) For users, the visible change may be nothing at all. The real test now is how many sites adopt the extra hardware check that turns a copied session cookie from a master key into a dead duplicate. (developer.chrome.com)