Device Bound Session Credentials (DBSC) for Symfony. It protects authenticated sessions from cookie theft by binding them to a hardware-backed private key (TPM) held by the user's browser.
Status: early work in progress. The DBSC specification is still a draft shipping behind a Chrome origin trial, so header names and payloads may change.
DBSC complements your existing authentication (passwords, WebAuthn, SSO). It does not change how users log in: it hardens the credential that follows. After login the browser generates a device-bound key pair and proves possession of it periodically, so a stolen cookie replayed from another machine stops working. The browser drives all the cryptography; the server side is one response header plus two endpoints, all provided by this bundle. Browsers without DBSC support degrade gracefully.
composer require spomky-labs/dbsc-bundleIn additive mode a short, device-bound cookie is issued alongside your existing session, which stays authoritative. You opt in at login and allow the two endpoints; the firewall is unchanged.
When you are ready, DBSC can take over the long-lived credential (the remember-me role) with a
single firewall key (device_bound_session: true).
See Adoption modes for both, including the opt-in badge and the access control to define.
Full documentation lives in doc/:
- Concepts and security model
- Installation
- Configuration reference
- Adoption modes
- Migrating from remember-me
- Protocol and endpoints
- Production storage
- Extending the bundle
MIT. See LICENSE.