Chrome rolls out hardware‑bound session cookies to Windows; macOS support coming

April 10, 2026
aisecurityprivacylaw
Tasty chocolate chip cookies arranged on a dark surface, perfect for food photography.
Photo by Terrance Barksdale on Pexels

What happened

It has been reported that Google’s Chrome is making Device Bound Session Credentials (DBSC) publicly available for Windows users on Chrome 146, with macOS support slated for an upcoming release. The move targets a nasty, persistent problem: session theft. Imagine malware quietly siphoning your browser cookies and then logging into your accounts as if it were you. Ouch. Google says this is meant to flip the script from reactive detection to proactive prevention.

How DBSC works

DBSC ties a short‑lived session to a device using a hardware‑backed key — TPM on Windows, Secure Enclave on macOS — that can’t be exported off the machine. When a site issues a refreshed cookie, Chrome proves possession of the private key to the server; if an attacker exfiltrates cookies without the key, those tokens become useless. It has been reported that Google saw a marked reduction in session theft in early deployments. Not a silver bullet — once malware owns your machine it can still do damage — but it raises the bar significantly.

Privacy and standards

Privacy was baked in. Each session gets its own key so sites can’t stitch you across visits or devices, and the protocol deliberately avoids leaking device identifiers or attestation data beyond the per‑session public key. DBSC was developed through the W3C process and the Web Application Security Working Group; Google also engaged with other browser vendors, including Microsoft, during design and rollout. The idea: make stronger, hardware‑backed sessions an open web capability, not a proprietary add‑on.

Why it matters

Sites need to add registration and refresh endpoints on the backend, but front‑end code and ordinary cookies keep humming — the browser handles the messy cryptography and rotation. That makes adoption feasible without rewriting apps from scratch. Will the web actually adopt it at scale? That’s the next test. Still, in an era where passkeys and hardware protections are becoming the norm, DBSC feels like the sensible next step — unglamorous, necessary, and likely to save a lot of headaches.

Sources: security.googleblog.com, Lobsters