Skip to content

Spomky-Labs/dbsc-bundle

Repository files navigation

DBSC Bundle logo

DBSC Bundle

Device Bound Session Credentials (DBSC) for Symfony. It protects authenticated sessions from cookie theft by binding them to a hardware-backed private key (TPM) held by the user's browser.

Status: early work in progress. The DBSC specification is still a draft shipping behind a Chrome origin trial, so header names and payloads may change.

What it does

DBSC complements your existing authentication (passwords, WebAuthn, SSO). It does not change how users log in: it hardens the credential that follows. After login the browser generates a device-bound key pair and proves possession of it periodically, so a stolen cookie replayed from another machine stops working. The browser drives all the cryptography; the server side is one response header plus two endpoints, all provided by this bundle. Browsers without DBSC support degrade gracefully.

Installation

composer require spomky-labs/dbsc-bundle

Getting started

In additive mode a short, device-bound cookie is issued alongside your existing session, which stays authoritative. You opt in at login and allow the two endpoints; the firewall is unchanged.

When you are ready, DBSC can take over the long-lived credential (the remember-me role) with a single firewall key (device_bound_session: true).

See Adoption modes for both, including the opt-in badge and the access control to define.

Documentation

Full documentation lives in doc/:

License

MIT. See LICENSE.

About

Device Bound Session Credentials (DBSC) for Symfony: protect sessions from cookie theft with hardware-bound keys.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

 
 
 

Contributors