Chrome is rolling out Device Bound Session Credentials, a security feature that binds browser sessions to a device’s security chip—Trusted Platform Module on Windows and Secure Enclave on Mac—so stolen cookies can’t be used to sign in elsewhere. DBSC is enable
The moment a hacker grabs your browser cookies, the attack can feel invisible—until it starts working on someone else’s device.
Browser cookies are the small files websites use to remember who you are. They store login sessions and website preferences, making your favorite sites feel seamless. But that same convenience has always been the weak point. If malicious software can steal those cookies. an attacker may be able to sign in as you on their own device—without wrestling through multi-factor authentication codes that would otherwise challenge the login.
Chrome’s new defense aims to stop that exact move.
Google says it has introduced Device Bound Session Credentials (DBSC). now available in Chrome for Windows and rolling out as a feature to prevent cookie hijacking. The feature ties the session credentials to the security chip built into your device. On most Windows PCs, that chip is the Trusted Platform Module (TPM). On a Mac, it’s the Secure Enclave.
So even if a hacker manages to steal your browser cookies. those cookies remain linked to your computer and can’t be applied elsewhere. Google describes it as strengthening account security after users are logged in and binding a session cookie—the small files used by websites to remember user information—to the device a user authenticated from. The company says DBSC reduces the risk of session theft and makes it “meaningfully more difficult for malicious actors to exploit stolen session cookies. ” even when malware is present on the user’s device.
The rollout also changes who has to turn it on. Google says DBSC is enabled by default for all Google Workspace and personal Google accounts. When it moved into earlier phases, IT admins at organizations had to activate the protection for Chrome users. Now, the protection is automatically enabled for both enterprise and personal account users.
Google first began developing DBSC in 2024 to protect Chrome users from cookie-hijacking attacks at home and in the workplace. In 2025, the company rolled it out as an open beta for Google Workspace customers. With this latest availability, the expectation is straightforward: users just need the right Chrome version.
Because DBSC is automatically turned on, there’s no switch or setting to control. Google says to make sure you’re running Chrome version 146 or later in Windows and version 148 or later on a Mac. To update. Google instructs users to click the three-dot icon at the upper right. go to Help. and select About Google Chrome—then restart the browser once the latest version downloads.
For people worried about cookie theft, the practical takeaway is stark: attackers may still steal session data, but Chrome is trying to keep that session locked to the device that authenticated it in the first place.
Chrome Device Bound Session Credentials DBSC cookies cookie hijacking cybersecurity TPM Secure Enclave Trusted Platform Module browser security Google Workspace