I want to create a Django application with some logged-in users. On another side, since I want some real-time capabilities, I want to use an Express.js application.

Now, the problem is, I don't want unauthentified users to access Express.js application's datas. So I have to share a session Store between the Express.js and the Django applications.

I thought using Redis would be a good idea, since the volatile keys are perfect for this fit, and I already use Redis for another part of the application.

On the Express.js application, I'd have this kind of code :

[...]
this.sessionStore = new RedisStore;
this.use(express.session({
  // Private crypting key
  secret: 'keyboard cat', // I'm worried about this for session sharing
  store: this.sessionStore,
  cookie: {
    maxAge: 1800000
  }
}))
[...]

On the Django side, I'd think of using the django-redis-session app.

So, is this a good idea? Won't there be any problem? Especially about the secret key, I'm not sure they will both share the same sessions.

You will have to write a custom session store for either Express or Django. Django, by default (as well as in django-redis-sessions) stores sessions as pickled Python objects. Express stores sessions as JSON strings. Express, with connect-redis, stores sessions under the key sess:sessionId in redis, while Django (not totally sure about this) seems to store them under the key sessionId. You might be able to use django-redis-sessions as a base, and override encode, decode, _get_session_key, _set_session_key and perhaps a few others. You would also have to make sure that cookies are stored and encrypted in the same way.

Obviously, it will be way harder to create a session store for Express that can pickle and unpickle Python objects.