02 — Overview
How Relock works
Relock binds every authenticated session to the device that created it. When a session token leaks — through malware, phishing, or a man-in-the-middle proxy — the attacker holds a credential that simply will not work anywhere else.
Instead of relying on static cookies and bearer tokens, Relock continuously proves possession of a hardware-backed device key on every request. The result is a silent layer of defense that runs underneath your existing auth flow.
Watch the short overview below to see the model end-to-end.
03 — Test Relock
Attack scenarios
Relock device binding protects an authenticated session from being used by any other device. This application allows you to test it against three attack vectors that closely simulate real-world threats:
- Cookie Replay — your cookies only, replayed from an attacker's device.
- Session Hijack — your cookies + localStorage + sessionStorage, replayed from an attacker's device.
- Identity Impersonation (IMPaaS) — the same material as T2, replayed from a device that looks like yours.
Each attack is more sophisticated than the last, peeling back another layer of conventional defense — password and MFA, then session risk signals, then even advanced device fingerprinting and intelligence suites.
Description
The simplest session theft. An attacker who obtains only your session cookie — from a proxy, an XSS leak, or a single line in a stealer log — replays it from their own browser to walk straight into your authenticated session. No password, no MFA prompt, because the session is already past both.
Testing scenario
Copy all active cookies from this browser and replay them from a fresh browser posing as a different device.
Expected outcome
Rejected. Relock requires a fresh integrity token to prove possession of the device key, and the attacker is not able to produce it.
04 — Testing harness
Run it yourself
You can replicate each of the simulated attack scenarios above with the same session replay harness that we used.
Just install the dependency, authenticate in a new browser instance, and select the attack tier.
npx playwright install chromium # first run only — downloads the browser (~150MB)
npx github:Relock-Security/sandbox#v0.3.0Or clone and run it if you'd rather read the source first.
git clone https://github.com/Relock-Security/sandbox.git
cd sandbox
npm install
npm startYou can also point the harness at your own applications to test your exposure to session-level threats. It runs entirely on your machine(s) and never handles any sensitive input, such as passwords.
05 — Further reading
Go deeper on session security
External resources, documentation, and research from the Relock team.
Relock Security Context
How Relock binds sessions to devices and why it neutralizes threats.
Self-Assessment Tool
Test your own applications against simulated session-level attacks.
Session Integrity Report 2026
See how G2 Best and Fastest Growing software products fared against session replay attacks.
Get in touch
Reach out to the Relock team for a deep dive discussion.
