Google Chrome’s New Feature Takes Aim at Cookie Theft, Account Hijacking

Google Chrome’s New Feature Takes Aim at Cookie Theft, Account Hijacking

Google Chrome’s New Feature Takes Aim at Cookie Theft, Account Hijacking

Chrome’s DBSC update binds login sessions to user devices, making stolen session cookies harder to reuse in account hijacking attacks.

Jun 1, 2026

Google Chrome is making stolen login cookies a lot less useful.

Google has begun rolling out Device Bound Session Credentials, a security feature that ties some Chrome sessions to the device that created them. The goal is to make it harder for attackers to use stolen session cookies to hijack accounts, even when they have already bypassed passwords or MFA.

That matters because cookie theft has become a quiet shortcut for account takeovers. Instead of breaking into an account at the front door, attackers can sometimes steal the browser token that proves a user is already logged in.

A session cookie is a unique token that identifies an authenticated user across a web session.

Once a user logs in, the server generates this token, and the browser includes it in subsequent requests, allowing the server to automatically validate that session without requesting credentials again. Its validity remains for a defined period or until a user manually clears it.

In addition to web authentication, it is also used to track a user’s actions, such as navigation progress or, on e-commerce platforms, items added to the cart.

Because session cookies reside in the browser’s data and their possession can be enough to impersonate a user’s ID on websites, threat actors actively target them through malware and other exfiltration techniques. That has led to repeated successes in session hijacking attacks, resulting in account takeovers.

Google’s response to this is DBSC.

Google first announced the feature in 2024, before launching it in May of this year. Rather than merely allowing the generation and storage of a session cookie, DBSC cryptographically binds that session to a chip in the device. Google says that it uses the Trusted Platform Module (TPM) on Windows devices and the Secure Enclave on macOS to generate private and public keys for each session cookie.

Doing this now makes a stolen session cookie extremely difficult for threat actors to exploit, as they will also need to obtain the target’s unique hardware keys.

Diagram showing browser, server, TPM, and DBSC endpoint exchanging session cookies and keys.
Image: Google

Important details users should know

The feature is available to all Google users, regardless of whether they are part of a workspace. For Workspace users, Google says it requires no admin input to enable. It also says that the feature can’t be turned off.

While the feature has begun rolling out, to ensure that your Chrome gets it, check that:

  • You are running at least Chrome version 146 on Windows and version 148 on macOS.
  • Your device has TPM and Secure Enclave. Google did not specify which TPM version is required, but it noted that TPM is standard on Windows 11 devices.
  • Since Windows 11 requires at least TPM 2.0, devices stuck on Windows 10 might not receive the feature. For macOS users, check whether your device supports Secure Enclave.

Also, there is no confirmation yet on whether this feature is available for mobile devices or when it may be.

For the millions of Chrome users who have been at high risk of session cookie theft, this feature may now make a threat actor think twice before attempting that technique.

However, users should remain safe and adhere to secure browsing practices, as the security landscape never rests on either side.

Also read: Apple is reportedly testing an iPhone anti-snatching feature that could lock stolen devices using motion signals and familiar-location checks.

Joseph Ofonagoro

Joseph is a technical writer with about three years of experience creating clear, practical content across consumer technology, startups, tutorials, and cybersecurity. He is also advancing a career in cyber threat intelligence, driven by a strong interest in the responsible use of technology and its role in protecting people, organizations, and digital systems. His passion for cybersecurity grew out of a broader commitment to helping others understand technology safely and effectively. As an undergraduate at the National Open University of Nigeria, he leads a community of technology enthusiasts, guiding beginners, sharing learning resources, and helping students build confidence as they explore careers in tech. Joseph’s writing combines technical curiosity with an accessible, beginner-friendly style. In addition to his editorial work, he periodically shares cybersecurity case studies and research reports on social media, covering threat trends, security lessons, and practical insights for readers interested in cyber awareness and digital safety.