# Global Cookie Encryption

The **Global Cookie Encryption** feature is designed for customers deploying **WorkSpaces Manager** behind a load balancer with multiple instances. When enabled, this feature ensures consistent and secure user session handling across all instances by using a **shared encryption key** stored in AWS Systems Manager Parameter Store.

<figure><img src="https://2854239078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxEJOGCAr5O8d9q95spJy%2Fuploads%2FBfhRNokWcnS4omNPT4IV%2Fimage.png?alt=media&#x26;token=a37fea6f-4300-47c4-8e3b-bc2b939d26b4" alt=""><figcaption></figcaption></figure>

To support this functionality, the WSM instance role **must be granted the following permissions**:

```json
{
      "Version": "2012-10-17",
      "Statement": [
            {
                  "Effect": "Allow",
                  "Action": [
                        "ssm:PutParameter",
                        "ssm:GetParameter",
                        "ssm:GetParameters",
                        "ssm:DeleteParameter"
                  ],
                  "Resource": "*"
            }
      ]
}
```