Chrome DBSC: Shift from Bearer Cookies to device-bound Session credentials
· 13 min read
Most authentication systems are built around a comforting illusion: once a user successfully logs in, the system believes it knows who is on the other side of the connection.
In reality, most web applications do not continuously know who is using the session. They know only that each request carries a valid cookie.
That distinction is not academic. It is the reason session theft remains one of the most effective ways to bypass passwords, MFA, passkeys, risk checks, and even carefully designed identity-provider flows.