I am trying to pass encrypted data via a browser/client session variable - not to be confused with server-side session variable:

encrypt:

var encrypted_user_id = CryptoJS.AES.encrypt(user_id, cipher_pass);
var encrypted_user_password = CryptoJS.AES.encrypt(password, cipher_pass);

sessionStorage.setItem('user_id', encrypted_user_id);
sessionStorage.setItem('user_password', encrypted_user_password);

decrypt:

var encrypted_user_id = sessionStorage.getItem('user_id');
var encrypted_user_password = sessionStorage.getItem('user_password');

var plaintext_user_id = CryptoJS.AES.decrypt(encrypted_user_id, cipher_pass).toString(CryptoJS.enc.Utf8);
var plaintext_user_password = CryptoJS.AES.decrypt(encrypted_user_password, cipher_pass).toString(CryptoJS.enc.Utf8);

There is no error, but the plaintext is empty string.

If I perform the exact same encryption/decryption using variables instead of sessionStorage it works fine.

What am I not understanding? Is there something about session variables that is different than a local variable?

So I've made a fiddle to test it out. And I think the problem (although in fairness your original code seemed to work for me too) is that for the encryption you should do this instead:

var encrypted_user_id = CryptoJS.AES.encrypt(user_id, cipher_pass).toString();

Why? Without the to string, you're storing an object that JSON can't serialize, so when you're getting your object back from session storage you're getting back something different than you intended.