spomky-labs / dbsc-bundle
Device Bound Session Credentials (DBSC) for Symfony - protect sessions from cookie theft with hardware-bound keys.
Maintainers
Package info
github.com/Spomky-Labs/dbsc-bundle
Type:symfony-bundle
pkg:composer/spomky-labs/dbsc-bundle
Requires
- php: >=8.2
- psr/clock: ^1.0
- psr/log: ^1.1|^2.0|^3.0
- symfony/config: ^7.4|^8.0
- symfony/dependency-injection: ^7.4|^8.0
- symfony/http-foundation: ^7.4|^8.0
- symfony/http-kernel: ^7.4|^8.0
- symfony/routing: ^7.4|^8.0
- symfony/security-bundle: ^7.4|^8.0
- symfony/security-core: ^7.4|^8.0
- symfony/security-http: ^7.4|^8.0
- web-token/jwt-library: ^4.0
Requires (Dev)
- symfony/framework-bundle: ^7.4|^8.0
Suggests
- symfony/web-profiler-bundle: To show the DBSC panel in the web profiler.
This package is auto-updated.
Last update: 2026-06-02 21:09:35 UTC
README
Device Bound Session Credentials (DBSC) for Symfony. It protects authenticated sessions from cookie theft by binding them to a hardware-backed private key (TPM) held by the user's browser.
Status: early work in progress. The DBSC specification is still a draft shipping behind a Chrome origin trial, so header names and payloads may change.
What it does
DBSC complements your existing authentication (passwords, WebAuthn, SSO). It does not change how users log in: it hardens the credential that follows. After login the browser generates a device-bound key pair and proves possession of it periodically, so a stolen cookie replayed from another machine stops working. The browser drives all the cryptography; the server side is one response header plus two endpoints, all provided by this bundle. Browsers without DBSC support degrade gracefully.
Installation
composer require spomky-labs/dbsc-bundle
Getting started
In additive mode a short, device-bound cookie is issued alongside your existing session, which stays authoritative. You opt in at login and allow the two endpoints; the firewall is unchanged.
When you are ready, DBSC can take over the long-lived credential (the remember-me role) with a
single firewall key (device_bound_session: true).
See Adoption modes for both, including the opt-in badge and the access control to define.
Documentation
Full documentation lives in doc/:
- Concepts and security model
- Installation
- Configuration reference
- Adoption modes
- Protocol and endpoints
- Production storage
- Extending the bundle
License
MIT. See LICENSE.