Cookieless web analytics – report

As promised on this blog a few weeks ago, here’s a report from a few weeks of evaluating the cookieless web analytics package eVisit Analyst:

Issues with cookieless web analytics

Tracking user sessions without using http cookies or similar technologies (such as Flash Local Stored Objects or HTML5 localStorage) regulated in the EU cookie law requires that you have some other method for recognizing the visitor. The IP number of the visitor’s computer can be used, of course, but if you rely on the IP address then all visitors from computers hidden behind one NAT service (such as a corporate internet router) will seem to be one visitor in the website analytics.

This problem can be reduced if users are identified not only by IP but also by web browser version. More specifically, the UserAgent http header, which is normally sent from the browser with every request, can be used in combination with IP address. This is the path taken by eVisit Analyst.

The UserAgent string contains not only browser version, but also some other data about the visitor’s browser configuration (operating system etc.). The following is an example:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1

You can find your own current UserAgent string by visiting

The combination of IP and UserAgent means that only visitors with identical browser version and identical operating system who reside behind the same NAT device will be confused by the web statistics package. Unfortunately, this may be the case for a few of your visitors. Especially those who visit your website from their desktop computer at work – because some organizations standardize their office computing configurations.

When IPv6 catches on, this problem will probably be solved automatically, because every single computer can have its own IPv6 address and there will be no need to use NAT services. But we´re not there yet.

A challenge if you use IP addresses to keep track of visitors is that the storage of IP address may, just like cookies, affect user privacy, and therefore be subject to laws other than the ”Cookie law”. How big a challenge this is depends on your jurisdiction. In Germany, for example, the laws are quite restrictive about storing IP numbers, from what I understand.

Such problems can, at least partially, be handled by not storing the actual IP, but instead a hashcode computed from the IP using an irreversible algorithm – or by not storing the entire IP but only part of it. The makers of eVisit Analyst offers such solutions. Some configuration options are included in the product while others require customized solutions for which you have to pay extra.

eVisit Analyst

eVisit Analyst is the only product I have seen that is being marketed with ”cookieless” as a main feature. Its other features seem to be quite nice, but I have not made a thorough evaluations of them. The provider, british Maxsi Ltd, seem professional, friendly and open and answer email promptly.

Other options

There are a few other analytics solutions that do not profile themselves as cookieless, but that can be configured not to set any cookies. One example is Vizzit – attractive on the Swedish market because they have a tight integration with EPiServer CMS. Another example is the open-source analytics solution Piwik. And of course you can always analyze your webserver logs with tools such as AWstats.


Getting slightly mixed up usage statistics from 100% of your visitors is probably more useful for you than getting usage statistics from only 10% of your visitors, as can happen if you use a cookie dependent statistics solution but only after asking visitors for permission.

What are other analytics solution providers doing with regards to the EU cookie law?


Innehållet är taggat med:


3 kommentarer till artikeln


  1. That sums up the situation nicely. And the last point is critical. My feeling is that slightly mixed up analytics will still be easily good enough for most business decisions about your web estate.
  2. Hi, do you have any instructions on how you implemented your landing page? That seems like the best solution to me. Many thanks.
  3. [...] While people are agonizing over how compliance will gut websites’ ability to identify and meet user demand, that’s not the problem. The problem is that, in order to have jurisdiction over attempts to weasel out of it by Google and Facebook, it doesn’t set clear boundaries. It’s up to the judge to determine whether cookies like PHPSESSID require prior opt-in from users and not even employees of the UK government are eager to comply. [...]