Various examples are directed to systems and methods for secure communication sessions between a web application and a server. A session vault routine executing at a computing device may receive a first request message directed to a server computing device. The first request message may comprise a client session identifier at a session identifier field of the first request message. The session vault routine may access supplemental session identifier data from a session vault persistence at the data storage. The session vault routine may write the supplemental session identifier data to a second field of the first request message, and initiate sending the first request message to the server computing device.