[yorwba]

By combining the request's IP, user agent and OS to create a unique session ID: https://github.com/mikecao/umami/blob/f8ac987bfc0df581721bd2...

This will undercount some visitors and overcount others, but it should be good enough for most purposes.

[kevinbowman]

Interestingly, the OS is detected from the user agent, so really it’s only hashing the IP and the user agent.

[lucasmullens]

So an entire school district would be the same user?

Seems reasonable for most cases, but if you're a website that's used a lot by schools or businesses, they might have every computer using the same user agent and IP.

[esrh]

This is unfortunate in a way because it's easy to deny cookiee but hard to spoof all of those