DEV Community

Zenovay
Zenovay

Posted on

Cookieless web analytics: how it actually works under the hood

#webdev #analytics #javascript #privacy

'Cookieless analytics' gets thrown around as a marketing term. What does it actually mean technically? How do you identify unique visitors without a cookie?

This post is a complete technical breakdown of how it works in Zenovay, in case you are building something similar or evaluating tools.

What a traditional analytics cookie does

In GA4 and most legacy tools:

Set-Cookie: _ga=GA1.2.1234567890.1697123456; Max-Age=63072000; Path=/
Enter fullscreen mode Exit fullscreen mode

Two roles: unique identifier for the visitor + persistence across sessions.

The cookieless approach: ephemeral fingerprinting

Instead of storing an ID, generate one server-side per visit using non-identifying signals:

function generateVisitorId(request) {
  const signals = [
    request.headers.get('User-Agent'),
    request.headers.get('Accept-Language'),
    request.cf?.country,
    salt(getCurrentDay())
  ].join('|')

  return crypto.subtle.digest('SHA-256', new TextEncoder().encode(signals))
}
Enter fullscreen mode Exit fullscreen mode

Key property: this ID cannot be reversed to identify the person, rotates daily, and is consistent within a single day for the same browser.

Sessions without cookies

A session in cookieless analytics is defined as: events from the same visitor ID within a 30-minute inactivity window. Handled server-side via Cloudflare KV with TTL.

The tracking script

Has to be tiny. Zenovay's is 1.4kb gzipped.

;(function() {
  const send = (type, data) => {
    fetch('https://e.zenovay.com/c', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
        type,
        site: 'your-site-id',
        url: location.href,
        ref: document.referrer,
        ts: Date.now(),
        ...data
      }),
      keepalive: true
    })
  }

  send('pageview', {})
})()
Enter fullscreen mode Exit fullscreen mode

Notice: no cookies set, no localStorage written, no fingerprinting library loaded.

What you give up

  • Cannot track returning visitors across days as the same visitor
  • Cannot do persistent A/B test assignment client-side
  • Cannot do detailed multi-session funnel analysis for anonymous users

What you keep: accurate per-session funnels, pageviews, events, bounce rate, per-day unique counts, path analysis, revenue attribution via auth bridge.

Why this matters

In typical European traffic, GA4 reports roughly 40–60% of actual sessions due to consent rejection. Cookieless reports close to 100% because there is nothing to consent to.

If you want to see this in action on a real product: zenovay.com

— Valerio

Top comments (0)