Sessions & identity

How Sumidata tracks a visitor across pages, tabs, and login events — and how identity gets stitched to the accounts you already know.

01Three-tier identity model

Three identifiers work together — each with its own lifetime and storage.

Device ID

localStorage

Survives browser restarts. Anonymous.

Session ID

sessionStorage

Per browser tab. 30-min idle timeout.

User ID

via identify()

Stable across devices, cross-session.

02Automatic user isolation

Safe user switching on shared devices — no history bleed between accounts.

When identify() is called with a different user ID than the current session, the SDK automatically closes the current session and starts a fresh one bound to the new identity.

app.js

// User A logs in
Sumidata.push('identify', ['alice@example.com'])
// Session abc-123, linked to Alice

// Later, User B logs in on the same device
Sumidata.push('identify', ['bob@example.com'])
// → session abc-123 flushed, new session xyz-789 bound to Bob
// → Alice and Bob histories stay separate

03OAuth & redirect resilience

Checkout and OAuth flows redirect the user off your domain. The SDK rehydrates on return.

Before redirecting out, the SDK backs up the session to localStorage. On return:

If the same project loads within 30 minutes and the same device ID is present, the session continues as if no redirect happened.
Otherwise, a new session is started — but the user-level identity persists so attribution is maintained.

Practical effect: Stripe, Google OAuth, Apple Pay redirects won't fragment your funnel. Conversions that happen on return still attribute to the original session's traffic source.