Sending Session IDs with Post Message
A technology called postMessage is a secure method of sending data. There are several Vault configurations which may send data using postMessage. For more information about postMessage, you can visit Mozilla’s documentation
When the Post Session credentials via Post Message checkbox is selected in a custom web tab, Vault sends the user’s session ID using postMessage rather than as a URL parameter. Learn more about custom web tabs in Vault Help
When the Post Session Credentials via Form Data with Key "Session.id" checkbox is selected when configuring an external URL call job, Vault sends the user’s session ID using postMessage. Learn more about configuring external URL jobs in Vault Help
When these options are selected, you must adjust your application to receive information from postMessage:
- Request the session ID from Vault by sending a “ready” message on the window load of the custom web tab or external URL.
- Listen for a message event from Vault with the session ID. The postMessage happens after the initial page load, so your web application must listen for message events.
Vault will return JSON data with the session ID.
For example, using jQuery:
<script type="text/javascript">
let sessionId = '';
// 1. Request the session ID from Vault
$(window).on('load', function() {
var readyMessage = JSON.stringify({'message_id': 'ready', 'data': {}});
window.parent.postMessage(readyMessage, '*');
});
// 2. Listen for a message event from Vault
$(window).on('message', function(e) {
var message = JSON.parse(e.originalEvent.data);
if (message['message_id'] == 'session_id') {
sessionId = message['data']['session_id'];
}
});
// Use the sessionId variable in the integration header or body data
</script>This example JSON output shows the session ID returned from Vault:
{"message_id":"session_id","data": {"session_id":"9DA3848FF39392020…"}}Once you have the session_id, your web application can store it using cookies. You can also pass the data into a Vault API request.