When the Experience Service is configured for SSO, it uses a light-weight session stored as a browser cookie to manage each user's login session. This cookie is protected from tampering by a signature cookie. The signature cookie is generated using an encryption key, and the Experience Service stores the encryption key in the <home>/.ves directory of the user that started the experience service. The directory should be properly secured to prevent the encryption key being accessed by unauthorized users.