您可以使用fingerprintjs2

new Fingerprint2().get(function(result, components) {
  console.log(result) // a hash, representing your device fingerprint
  console.log(components) // an array of FP components
  //submit hash and JSON object to the server 
})

在此之后，您可以根据现有用户检查所有用户并检查JSON相似性，因此即使他们的指纹发生了突变，您仍然可以跟踪他们

通过HTTP连接只能获得少量信息。

IP - But as others have said, this is not fixed for many, if not most Internet users due to their ISP's dynamic allocation policies. Useragent String - Nearly all browsers send what kind of browser they are with every request. However, this can be set by the user in many browsers today. Collection of request fields - There are other fields sent with each request, such as supported encodings, etc. These, if used in the aggregate can help to ID a user's machine, but again are browser dependent and can be changed. Cookies - Setting a cookie is another way to identify a machine, or more specifically a browser on a machine, but as others have said, these can be deleted, or turned off by the users, and are only applicable on a browser, not a machine.

So, the correct response is that you cannot achieve what you would live via the HTTP over IP protocols alone. However, using a combination of cookies, as well as IP, and the fields in the HTTP request, you have a good chance at guessing, sort of, what machine it is. Users tend to use only one browser, and often from one machine, so this may be fairly relieable, but this will vary depending on the audience...techies are more likely to mess with this stuff, and use more machines/browsers. Additionally, this could even be coupled with some attempt to geo-locate the IP, and use that data as well. But in any case, there is no solution that will be correct all of the time.

假设您不希望用户拥有控制权，那么您就不能这样做。网络并不是这样工作的，你能期望的最好的是一些启发式。

如果你可以强迫访问者安装一些软件并使用TCPA，你可能会成功。

当我使用一台从未访问过我的网上银行网站的机器时，我被要求进行额外的身份验证。然后，如果我第二次回到网上银行网站，我不会被要求额外的身份验证……我删除了IE中的所有cookie，并重新登录到我的网上银行网站，完全期待再次被问到身份验证问题。令我吃惊的是，没有人问我。这难道不会让人相信银行正在做某种不涉及cookie的PC标记吗?

这是银行使用的一种非常常见的身份验证类型。

假设您正在通过example-isp.com访问您的银行网站。第一次登录时，系统会要求您输入密码，并进行额外的身份验证。一旦您通过了认证，银行就知道用户“thatisvaliant”已通过身份验证，可以通过example-isp.com访问该网站。

将来，当您通过example-isp.com访问该网站时，它将不会要求额外的身份验证(除了您的密码)。如果您试图通过another-isp.com访问该银行，该银行将再次执行相同的程序。

总之，银行识别的是你的ISP和/或网络块，基于你的IP地址。显然，ISP上的每个用户都不是你，这就是为什么银行仍然要求你输入密码的原因。

当你在另一个国家使用信用卡时，你有没有接到信用卡公司的电话来核实事情是否正常?相同的概念。

cookie和非cookie方法都有缺陷。但是如果你能原谅cookie方法的缺点，这里有一个想法。

如果你已经在你的网站上使用谷歌Analytics，那么你不需要自己编写代码来跟踪独特的用户。谷歌分析为您通过__utma cookie值，如谷歌的文档中所述。通过重用这个值，您不会创建额外的cookie有效负载，这对于页面请求具有效率优势。

您可以很容易地编写一些代码来访问该值，或者使用脚本的getUniqueId()函数。

The suggestions to use cookies aside, the only comprehensive set of identifying attributes available to interrogate are contained in the HTTP request header. So it is possible to use some subset of these to create a pseudo-unique identifier for a user agent (i.e., browser). Further, most of this information is possibly already being logged in the so-called "access log" of your web server software by default and, if not, can be easily configured to do so. Then, a utlity could be developed that simply scans the content of this log, creating fingerprints of each request comprised of, say, the IP address and User Agent string, etc. The more data available, even including the contents of specific cookies, adds to the quality of the uniqueness of this fingerprint. Though, as many others have stated already, the HTTP protocol doesn't make this 100% foolproof - at best it can only be a fairly good indicator.