How does session replay actually work?
Session replay does not record pixels. Instead, the recorder script in the browser serializes the initial DOM snapshot, then listens for incremental changes using standard browser APIs:
MutationObserverfor DOM tree changesaddEventListenerforclick,input,scroll,mouseover,touchstartCSSStyleSheetpatching for stylesheet editsXMLHttpRequestandfetchwrappers for network metadataPerformanceObserverfor navigation and resource timings
Each of these is timestamped and pushed into an event buffer. The buffer is periodically flushed to the backend. On replay, a player rebuilds the original DOM in a sandboxed iframe, then re-applies each event in time order, producing a perfectly faithful, scrubbable rendering of what the user saw and did.
What does session replay capture?
A typical session replay event stream contains:
- Full initial DOM snapshot (HTML + computed inline styles for the visible viewport)
- Incremental DOM mutations (
childList,attributes,characterData) - Mouse position, click coordinates, and scroll offsets
- Form input values (unless masked)
- Console logs and uncaught JS errors
- Network request URLs, methods, statuses, and timings (bodies are usually excluded)
- Page navigation events and viewport resizes
What does session replay NOT capture?
Because it is not a video, session replay typically cannot reconstruct:
- Content inside cross-origin iframes
<canvas>and WebGL pixel data unless explicitly serialized- Native browser dialogs (
alert,confirm, file pickers) - Content from password managers or browser extensions
- Audio and video element contents (only the element state)
Is session replay GDPR compliant?
Session replay is legal in the EU only when configured properly. Under GDPR Article 6, you need a lawful basis — usually legitimate interest for product analytics, or explicit consent if you capture personal data. Common compliance controls:
- Mask all
<input type="password">by default (rrweb does this automatically) - Mask elements via CSS class (
.lt-mask) or selector lists - Block entire sections via
data-replay="block"attributes - Strip query strings and Authorization headers from network events
- Honor Do Not Track and consent-management platforms (OneTrust, Cookiebot)
- In the US, the California Invasion of Privacy Act (CIPA) has triggered a wave of "wiretapping" lawsuits — masking PII and disclosing replay in your privacy policy is the standard mitigation
Which libraries dominate the ecosystem?
| Library | License | Notes |
|---|---|---|
| rrweb | MIT | The de-facto open-source recorder; powers most vendors |
| OpenReplay | Elastic v2 | Self-hosted full stack built on rrweb |
| PostHog Session Replay | MIT (core) | Bundled with PostHog product analytics |
| Sentry Session Replay | BSL | Stitches replays to error stack traces |
| Highlight.io | Apache 2.0 | Open-source observability with replay |
Most commercial vendors are wrappers around rrweb or a fork of it.
How big are the payloads?
Because it is an event stream and not a video, a typical 5-minute session ranges from 50 KB to 500 KB gzipped — roughly 10 to 100 times smaller than equivalent video. That is what makes broad replay coverage economically viable without shipping video files around.
How it relates to CloseTrace
CloseTrace uses session replay as the foundation for its lead recovery workflow. When a visitor abandons a form or hits a rage click, the matching replay is automatically attached to the lead in the inbox so the team can see the exact moment of friction without asking the visitor to reproduce it.