I messed around with the code, with the intention of creating session-entries and cookies based on browser fingerprints – though as I write this I'm not sure what that would accomplish. The cookie's set to expire in a year, so a fingerprint would last longer, but the fingerprint would also probably change as browsers and operating systems are updated etc. In any case, I set another request from the browser to the image path, with the fingerprint as a query parameter. Working with the code I realized a few things – nedb-session-store really deals with most of the work, black-boxing the session/cookie interaction and creation.. as I was trying to change the UUID I realized that the db entries for the same cookie had their own ID that was consistent for the same session.
I sent myself an email with the image, to see if email tracking works. It seems the session doesn't persist, so maybe gmail is doing some stuff to prevent this kind of tracking.