Cookies, Sessions And Identity

To attribute a series of hits to the same visitor, a tool stores an identifier in a first-party cookie. GA4, for example, keeps a client idclient_idGA4's per-browser identifier, stored in the _ga cookie, used to attribute hits to the same browser across sessions. in the _ga cookie_ga cookieGA4's first-party cookie that stores the client_id that identifies a browser across sessions. and attaches it to every hit.

From hit to user

• Client id, identifies a browser, stored in a cookie.
• SessionsessionA time-bounded group of user activity; in GA4, it ends after 30 minutes of inactivity., a time-bounded group of activity (it ends after a period of inactivity).
• User iduser_idYour own identifier for a logged-in user that lets GA4 stitch visits across devices and browsers., your own logged-in identifier, which can stitch sessions across devices.

Because this rests on cookies, anything that clears or shortens them, privacy settings, different devices, incognito, fragments the picture. That is the root cause of many "why are users inflated?" questions.