Prevent cookie theft with session binding (beta)

As an administrator, you can enhance the security of your users' online sessions by implementing Device Bound Session Credentials (DBSC). DBSC is designed to prevent session hijacking, also commonly known as cookie theft.

This type of cyberattack occurs when an unauthorized party gains control of a user's active web session by stealing the session cookie (a small data file containing the unique session identifier) issued by the website during login. By presenting this stolen cookie, the attacker can impersonate the legitimate user and continue their authenticated session.

DBSC works by binding a user's session to their specific device, making it difficult for attackers to use stolen cookies on other devices. By using DBSC, you can lower the risk of unauthorized access to user accounts, keeping sensitive user data safe.

Requirements for using DBSC

Currently, DBSC is available only on Chrome browser for Windows devices.
The user's device must have a Trusted Platform Module (TPM), which is a standard hardware component that’s already available for most devices running Windows 11, to securely store and process cryptographic data. Users can typically find information about TPM availability in their device's system settings or by consulting the device manufacturer's documentation.
The user must have Chrome version 136 or above. For details, go to Update Google Chrome .

Note: During the beta phase, session binding secures only a limited selection of Google cookies, meaning that not all cookies for a user will be secured.

Turn on DBSC

Before you begin:If needed, learn how to apply the setting to a department or group .

Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
Go to Menu Security > Access and data control > Google Session control .
Requires having the Security settings administrator privilege.
(Optional) To apply the setting only to some users, at the side, select an organizational unit(often used for departments) or configuration group(advanced). Show me how
Group settings override organizational units. Learn more
For Device Bound Session Credentials, select Enable DBSC.
Click Save.Or, you might click Overridefor an organizational unit .
To later restore the inherited value, click Inherit(or Unset for a group).

Potential outcomes of turning on DBSC

After you turn on DBSC, users might experience:

Session interruptions–If a user's session is valid but the binding process encounters an error, the system requires the user to sign in again. This safeguards the user's account and data.
Persistent issues–If a user consistently experiences problems with DBSC, they could be signed out often. In such cases, users should contact their administrator for troubleshooting assistance, which might include disabling DBSC for their account. The admin can create a group that is exempt from DBSC, and add the user to that group.

Enforce DBSC with Context-Aware Access

Limited to desktop web apps and not applicable for mobile apps or APIs

You can further enhance security by requiring users to have DBSC to access specific Google Workspace apps. Users attempting to access protected apps without a DBSC-bound session will be denied access. This security measure is configured through Context-Aware Access.

To set up DBSC enforcement:

Turn on DBSC for the users that you want to protect. For the steps, go to Turn on DBSC .
Follow the instructions to create a custom access level in Allow access to apps only from DBSC-bound sessions .
Assign the access level to the apps you want to be accessed only by DBSC-bounded sessions in monitor modeto simulate enforcement without blocking user access.
After assessing the impact, assign access levels in active modeto enforce access only by DBSC-bound sessions. For details, go to Deploy Context-Aware Access .

DBSC enforcement is not immediate, which means that after a user signs in, there is a grace period before enforcement is applied. This design accommodates potential temporary binding issues. Once bound, the system periodically checks if users accessing the specified apps have DBSC-bound sessions. Any reauthentication will reset this grace period, and DBSC will not be enforced during that reauthentication.

Check DBSC log events

After you turn on DBSC, you can review User log events to check if a DBSC event occurred. For example, you can check whether DBSC key binding succeeded or failed.

Note: DBSC log events are only visible for the primary account when multiple user accounts are signed into the same Chrome browser profile.

To check whether an event occurred:

Open User log events.
For details, go to User log events .
Click Add a filter Event.
Select a DBSC event and click Apply.

For details about events, refer to the following table:

Event name

Description

DBSC key binding

Attempted to bind a user's session to their device. The event status shows Succeededor Failed. If the binding succeeds, a new TPM key pair is generated, and the key is bound to the device.

DBSC key validation

An attempt to validate the DBSC key failed, resulting in one of the following error codes:

DBSC_KEY_VERIFICATION_FAILED
DBSC_FAILURE_REASON_UNKNOWN

Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?