Google's Device-Bound Session Credentials: The End of Session Hijacking?
2025-08-28
Session hijacking has long been a major threat to online security. Traditional cookie-based session management is vulnerable, leaving systems open to attack. To combat this, Google has introduced Device-Bound Session Credentials (DBSC), leveraging public-key cryptography. DBSC generates a key pair for each session, securely stored on the device (e.g., using TPM on Windows). This renders session identifiers useless on other devices, effectively preventing hijacking. Currently in beta for Google Workspace Chrome users (Windows), widespread adoption by other browser vendors could finally make session hijacking a relic of the past.