I messed around with the code, with the intention of creating session-entries and cookies based on browser fingerprints – though as I write this I'm not sure what that would accomplish. The cookie's set to expire in a year, so a fingerprint would last longer, but the fingerprint would also probably change as browsers and operating systems are updated etc. In any case, I set another request from the browser to the image path, with the fingerprint as a query parameter. Working with the code I realized a few things – nedb-session-store really deals with most of the work, black-boxing the session/cookie interaction and creation.. as I was trying to change the UUID I realized that the db entries for the same cookie had their own ID that was consistent for the same session.

can't seem to insert the image as an image here ... 

I spent too much time doing this, and didn't get around to adding more tracking behavior.. though was also wondering how much more one could track with an image as I can't modify much that the client will send me aside from query parameters. If I could somehow trick someone to embedding some javascript there would be a lot more options. Google and FB etc don't need to do these tricks since people happily copy in their javascript in order to get social buttons etc. But as a third party, it seemed the hump was more in tricking people vs tricking the computer... maybe I'm missing something here.

I sent myself an email with the image, to see if email tracking works. It seems the session doesn't persist, so maybe gmail is doing some stuff to prevent this kind of tracking.