DEV Community: Stevan Andric

How to Track Website Visitors Without Cookies in 2026

Stevan Andric — Thu, 28 May 2026 15:05:17 +0000

For most of the web's history, "analytics" meant "cookies." You dropped a script on your site, it set a cookie, and that cookie followed the visitor around so you could tell a returning user from a new one. That model is quietly falling apart, and if you maintain a website in 2026 you've probably already felt it.

This is a practical look at what cookieless visitor tracking actually involves today — the techniques, what they're good at, and the trade-offs that don't usually make it into the marketing copy.

Why cookies stopped working

Three things happened at roughly the same time.

Browsers got aggressive. Safari's Intelligent Tracking Prevention caps script-set cookies at seven days, often 24 hours. Firefox isolates third-party storage. Third-party cookies are effectively gone across the board. The result: a returning visitor frequently looks brand new because their cookie expired or got partitioned away.

Users delete and block. Ad blockers and privacy extensions are mainstream now, not a niche concern.

Consent fatigue is real. Even when cookies technically work, you need a banner — and a large share of users dismiss or reject it, so you never get the data anyway.

The net effect is that cookie-based "unique visitor" counts have drifted from "roughly accurate" toward "roughly fiction."

The cookieless options

There is no single drop-in replacement. A few approaches, roughly from least to most precise:

Server-side / aggregate counting. Count requests and hash IP + User-Agent into a daily rotating identifier, then report aggregate numbers. This is what privacy-focused tools like Plausible do. It's genuinely low-risk, and in some jurisdictions it can run without a consent banner. The downside: you lose cross-session identity. A visitor who comes back tomorrow is just a new row.

First-party storage tricks. localStorage, IndexedDB, ETag caching. These can survive a little longer than cookies in some browsers, but they're subject to the same privacy clampdowns — and the same consent rules. Storage is storage.

Browser fingerprinting. Instead of storing an ID on the device, you derive one from the device: screen dimensions, installed fonts, canvas and WebGL rendering quirks, the audio stack, timezone, language. Combine enough signals and you get an identifier stable enough to recognize the same browser across sessions — with nothing stored on the device at all.

Fingerprinting is the only cookieless approach that genuinely recovers cross-session identity. That's why it's having a moment. It's also the option with the biggest asterisk, so let's be honest about it.

The honest part: cookieless is not consent-free

It's tempting to read "no cookies" as "no consent banner." It isn't that simple.

In the EU, the legal trigger isn't the cookie itself — it's accessing or storing information on the user's device. The ePrivacy rules, and regulators including the EDPB and the UK's ICO, have been explicit that fingerprinting falls under the same requirement as cookies. The identifier you derive is also personal data under GDPR. So fingerprinting-based analytics that recognizes returning visitors generally still needs prior consent for EU traffic.

There is a narrow audience-measurement exemption that some regulators (France's CNIL, the ICO) allow — but it's meant for aggregate, non-cross-site statistics, and a persistent fingerprint identity doesn't fit it cleanly.

So here's the realistic picture: going cookieless can simplify your stack and survive browser clampdowns, but it does not automatically free you from a consent banner or a privacy policy. Treat any tool that promises otherwise with suspicion. For EU traffic, the right setup is still a banner that gates the script until the user agrees, plus a clear privacy policy describing what you collect.

What you genuinely do get from going cookieless: data that doesn't silently degrade as browsers tighten storage, no third-party cookie dependency, and a smaller, simpler client footprint.

Where identity-js fits

identity-js is the tool I've been using for this. It's a fingerprint-based analytics script — one tag, no cookies, no dependencies — with a real-time dashboard. Beyond visitor counts it also does bot detection, rage-click and frustration tracking, SEO auditing, and reading-behavior analysis. That's the kind of data that actually helps you understand a site, not just count heads.

I like it because the fingerprinting solves the returning-visitor problem that cookie-based tools fumble. I'd still pair it with a consent banner for EU visitors: the tool handles the tracking, but compliance is still on you. Used honestly, it's a solid cookieless option — just don't let "no cookies" lull you into skipping the legal groundwork.

Getting started

Installation is a single script tag:

<script src="https://www.identity-js.com/tracker/dist/identity.min.js" data-api-key="YOUR_API_KEY"></script>

Drop that into your <head> and — assuming you've got consent handling sorted — the dashboard starts populating. There's a free tier, so you can try it without committing anything.

If you'd rather see what the data looks like before installing, there's a live demo: https://www.identity-js.com/demo

Cookieless tracking in 2026 isn't a magic "no rules" button. But done with eyes open, it's a more durable foundation than the cookie model it's replacing.

I Built a Cookie-Free Visitor Analytics Platform — Here's What I Learned

Stevan Andric — Mon, 20 Apr 2026 21:21:37 +0000

I Built a Cookie-Free Visitor Analytics Platform — Here's What I Learned

TL;DR: I built identity-js, an open-source visitor intelligence platform that uses browser fingerprinting and behavioral analytics to understand how people actually use your site — no cookies, no consent banners. You can try the live demo right now.

The Problem

Every analytics tool I tried fell into one of two camps: either it was a bloated, cookie-dependent behemoth that required consent banners across half the page, or it was a privacy-first counter that told me someone visited but nothing about how they experienced my site.

I wanted something in between. I wanted to know: are visitors frustrated? Are they rage-clicking on something that looks like a button but isn't? Are they abandoning my signup form halfway through? Are bots inflating my numbers?

None of the tools I found answered all of these questions without requiring cookies or a 200KB script.

So I built one.

What identity-js Does

At its core, identity-js is a lightweight tracker (29KB gzipped, zero dependencies) that collects 40+ browser signals and watches for 11 behavioral patterns in real time.

Browser fingerprinting generates a persistent visitor ID from signals like canvas rendering, WebGL parameters, audio context, installed fonts, speech synthesis voices, and math engine quirks. No cookies needed — the ID survives cookie clears and private browsing.

Behavioral tracking is where it gets interesting. The tracker automatically detects:

Rage clicks — rapid frustrated clicking on the same spot
Dead clicks — clicks on elements that do nothing
Phantom clicks — clicks on things that look interactive but aren't
Form abandonment — forms started but never submitted, including which field they bailed on
Input hesitation — how long someone stares at a field before typing (a strong signal of confusion)
Reading behavior — whether someone is actually reading, skimming, or just scrolling past
Error tracking — JS exceptions and console errors your visitors hit
Text copying — when users copy text from your pages (great for knowing what content resonates)

All of these feed into a frustration score — a weighted composite that tells you at a glance which visitors are having a bad time on your site.

The Stack (Zero Dependencies on the Server Too)

The whole server runs on pure Node.js with zero npm dependencies. I used Node 22's built-in node:sqlite module for the database, node:crypto for auth (scrypt + HMAC-SHA256 tokens), and built the HTTP routing from scratch.

The dashboard is a single HTML file — no React, no build step, no framework. Just vanilla JS with a hand-rolled router and CSS custom properties for theming. It includes an interactive map (Leaflet), real-time live visitor view, per-visitor drill-downs with full session timelines, and PDF report exports.

The tracker builds to UMD, CJS, and ESM via Webpack, so it works everywhere — script tag, npm import, or require.

import IdentityJS from '@identityjs/tracker';

const visitor = await IdentityJS.init({
  apiKey: 'pk_live_YOUR_KEY',
});

// That's it. Fingerprinting + all behavioral tracking starts automatically.
// Want custom events too?
visitor.track('signup_clicked', { plan: 'pro' });

Bot Detection Without ML

One thing I'm particularly happy with is the bot detection system. Instead of relying on machine learning or third-party services, it scores visitors 0–100 based on observable signals: missing browser APIs, headless browser flags, impossible screen configurations, zero-entropy fingerprints, and behavioral patterns (or lack thereof).

A real human browsing your site produces a messy, unique fingerprint with varied interactions. A bot produces clean, predictable signals with mechanical timing. The scoring system catches this reliably, and the dashboard surfaces bot visitors separately so they don't pollute your analytics.

The Live Demo

Rather than asking you to sign up to see if this is useful, I built a live demo that loads the real dashboard with realistic sample data. You can explore visitor profiles, see the frustration scoring in action, browse session timelines, check out the bot detection — everything the real product does, with no account required.

The demo includes 14 sample visitors with varied profiles: different browsers, devices, locations, and behaviors. There's a frustrated user with rage clicks and form abandons, a detected bot with suspicious signals, and regular visitors with realistic browsing patterns.

What I Learned Building This

Browser fingerprinting is more stable than I expected. The combination of canvas, WebGL, audio context, and font enumeration produces remarkably consistent hashes across sessions. The key is using enough signals that any single one changing doesn't break the whole ID.

Behavioral signals are more valuable than pageview counts. Knowing that 40% of visitors rage-click your pricing toggle, or that the average hesitation time on your email field is 8 seconds, tells you more than knowing you had 10,000 visits last month.

Zero-dependency servers are liberating. Not having node_modules means the entire server deploys in seconds, has zero supply chain risk, and is trivial to audit. Node 22's built-in SQLite is surprisingly capable for a single-server analytics product.

Single-file dashboards aren't as crazy as they sound. Yes, the dashboard HTML file is large. But it loads instantly (one request, no waterfall), is trivial to cache, and I never have to debug a webpack config. For an internal tool like this, the tradeoff is worth it.

Try It

Live Demo — explore the full dashboard with sample data
Website — landing page and signup
npm package — npm install @identityjs/tracker
GitHub — full source code

The free tier includes 1,000 visitors and 10,000 events/month. If you're building something and want to understand how your visitors actually experience it, give it a shot.

If you have questions or feedback, drop a comment — I'd love to hear what you think.