So the only way (On Demand 14.3) that I have been able to get this to work is to place a simple html code block that contains JavaScript code that looks up the sessionID and then does a url redirect to my external system passing along the session ID.
Here is a simple example to post a set of urls with the sessionID.
Which renders:
The HTML code:
<div>
<a class="seCheckBook" href="https://www.example.com/search?q=" target="_blank">CheckBook 1 = </a> <br>
<a class="seCheckBook" href="https://www.example.com/search?q=" target="_blank">CheckBook 2 = </a> <br>
<a class="seCheckBook" href="https://www.example.com/search?q=" target="_blank">CheckBook 3 = </a> <br>
<a class="seCheckBook" href="https://www.example.com/search?q=" target="_blank">CheckBook 4 = </a> <br>
</div>
<script>
var i = 0;
var href = "";
var sessionId = "";
var cookies = document.cookie.split(';');
var cookie = "";
var value = "; " + document.cookie;
var parts = value.split("; sessionId=");
if (parts.length == 2) sessionId = parts.pop().split(";").shift();
var links = document.getElementsByClassName("seCheckBook");
for (i = 0; i < links.length; i++) {
href = links[i].getAttribute("href");
href = href + sessionId;
links[i].setAttribute("href", href);
links[i].innerHTML = links[i].innerHTML + sessionId;
}
</script>
The XSS settings as Nick has pointed out make doing anything interesting in On Demand pretty hard.
For On Premise, it is way easier as most of the XSS protection are centered around the domain. So I would just setup a new web app on the PPM server listening on a different port.
V/r,
Gene