Most people think enabling two-factor authentication is enough to protect their online accounts. Unfortunately, cybercriminals could still hack into your account by targeting session cookies.
Cookies are small files that keep users logged into websites after authentication. If a hacker gets hold of a valid session cookie, they can often access an account without knowing the password or entering an authentication code.
This technique, known as a “pass-the-cookie” attack, has become one of the favourite tools of infostealer malware. Over the past few years, malware families such as RedLine and Lumma have been used to steal browser data, including active session tokens, from infected computers. Once stolen, those tokens can give attackers direct access to email accounts, cloud services, and corporate systems.
Now Google is trying to make this attack much harder for criminals.
The company has announced that Device-Bound Session Credentials (DBSC) are now generally available in Chrome on Windows. The feature was previously available in beta for Google Workspace users, but it is now rolling out by default to all Workspace customers, Workspace Individual subscribers, and even personal Google accounts.
With DBSC, a session cookie should only work on the device where it was originally created.
To understand why DBSC matters, it is important to understand how these attacks typically work.
For example, when you sign in to Gmail and choose to stay logged in, Chrome stores a session cookie so you do not need to enter your password every time you open the website. That cookie acts as proof that you have already authenticated yourself.
If malware steals that session cookie, attackers can often import it into another computer and continue using the victim’s active session without ever knowing the account password.
DBSC changes that by cryptographically linking the session to the user’s device. Even if malware manages to steal the cookie, it becomes useless on another machine because the attacker does not have access to the associated device credentials.
This means attackers can no longer rely on stolen cookies alone to hijack accounts. Even if malware successfully steals a session token, it cannot simply be imported into another device and used to gain access.
This change is really important because many recent cyberattacks have not involved password theft, but authenticated sessions instead. In many cases, a stolen session token could completely bypass MFA protections because the user had already logged in successfully.
Google is also integrating DBSC with Context-Aware Access, allowing organizations to apply additional security checks based on device status, user activity, and other risk signals. Enterprise administrators can monitor DBSC events through audit logs, giving security teams more visibility into how authenticated sessions are being used across their environments.
The good thing is that users do not need to do anything. Google has enabled the feature by default, and administrators cannot disable it through the Admin console.
Google deserves credit for this move. While it may not be as flashy as new AI features, Device-Bound Session Credentials address a real and growing security problem. As session hijacking becomes more common, securing active sessions is now just as critical as protecting passwords and authentication methods.
Related Posts
