diff --git a/src/lib/server/api/controllers/login.controller.ts b/src/lib/server/api/controllers/login.controller.ts
index 3f7a81c..046d971 100644
--- a/src/lib/server/api/controllers/login.controller.ts
+++ b/src/lib/server/api/controllers/login.controller.ts
@@ -1,20 +1,20 @@
 import 'reflect-metadata';
-import {Controller} from '$lib/server/api/common/types/controller';
-import {cookieExpiresAt, createSessionTokenCookie, setSessionCookie} from '$lib/server/api/common/utils/cookies';
-import {signinUsernameDto} from '$lib/server/api/dtos/signin-username.dto';
-import {SessionsService} from '$lib/server/api/services/sessions.service';
-import {zValidator} from '@hono/zod-validator';
-import {openApi} from 'hono-zod-openapi';
-import {inject, injectable} from 'tsyringe';
-import {limiter} from '../middleware/rate-limiter.middleware';
-import {LoginRequestsService} from '../services/loginrequest.service';
-import {signinUsername} from './login.routes';
+import { Controller } from '$lib/server/api/common/types/controller';
+import { cookieExpiresAt, createSessionTokenCookie, setSessionCookie } from '$lib/server/api/common/utils/cookies';
+import { signinUsernameDto } from '$lib/server/api/dtos/signin-username.dto';
+import { SessionsService } from '$lib/server/api/services/sessions.service';
+import { zValidator } from '@hono/zod-validator';
+import { openApi } from 'hono-zod-openapi';
+import { inject, injectable } from 'tsyringe';
+import { limiter } from '../middleware/rate-limiter.middleware';
+import { LoginRequestsService } from '../services/loginrequest.service';
+import { signinUsername } from './login.routes';
 
 @injectable()
 export class LoginController extends Controller {
 	constructor(
 		@inject(LoginRequestsService) private readonly loginRequestsService: LoginRequestsService,
-		@inject(SessionsService) private luciaService: SessionsService,
+		@inject(SessionsService) private sessionsService: SessionsService,
 	) {
 		super();
 	}
@@ -29,6 +29,13 @@ export class LoginController extends Controller {
 				const { username, password } = c.req.valid('json');
 				const session = await this.loginRequestsService.verify({ username, password }, c.req);
 				const sessionCookie = createSessionTokenCookie(session.id, cookieExpiresAt);
+
+				// Cleanup old session
+				const currentSession = c.var.session;
+				if (currentSession) {
+					await this.sessionsService.invalidateSession(currentSession.id);
+				}
+
 				console.log('set cookie', sessionCookie);
 				setSessionCookie(c, sessionCookie);
 				return c.json({ message: 'ok' });
diff --git a/src/lib/server/api/index.ts b/src/lib/server/api/index.ts
index 1e5f4a2..3f3f155 100644
--- a/src/lib/server/api/index.ts
+++ b/src/lib/server/api/index.ts
@@ -1,19 +1,19 @@
 import createApp from '$lib/server/api/common/create-app';
 import configureOpenAPI from '$lib/server/api/configure-open-api';
-import {CollectionController} from '$lib/server/api/controllers/collection.controller';
-import {MfaController} from '$lib/server/api/controllers/mfa.controller';
-import {OAuthController} from '$lib/server/api/controllers/oauth.controller';
-import {SignupController} from '$lib/server/api/controllers/signup.controller';
-import {UserController} from '$lib/server/api/controllers/user.controller';
-import {WishlistController} from '$lib/server/api/controllers/wishlist.controller';
-import {AuthCleanupJobs} from '$lib/server/api/jobs/auth-cleanup.job';
-import {extendZodWithOpenApi} from 'hono-zod-openapi';
-import {hc} from 'hono/client';
-import {container} from 'tsyringe';
-import {z} from 'zod';
-import {config} from './common/config';
-import {IamController} from './controllers/iam.controller';
-import {LoginController} from './controllers/login.controller';
+import { CollectionController } from '$lib/server/api/controllers/collection.controller';
+import { MfaController } from '$lib/server/api/controllers/mfa.controller';
+import { OAuthController } from '$lib/server/api/controllers/oauth.controller';
+import { SignupController } from '$lib/server/api/controllers/signup.controller';
+import { UserController } from '$lib/server/api/controllers/user.controller';
+import { WishlistController } from '$lib/server/api/controllers/wishlist.controller';
+import { AuthCleanupJobs } from '$lib/server/api/jobs/auth-cleanup.job';
+import { extendZodWithOpenApi } from 'hono-zod-openapi';
+import { hc } from 'hono/client';
+import { container } from 'tsyringe';
+import { z } from 'zod';
+import { config } from './common/config';
+import { IamController } from './controllers/iam.controller';
+import { LoginController } from './controllers/login.controller';
 
 extendZodWithOpenApi(z);
 
diff --git a/src/lib/server/api/middleware/auth.middleware.ts b/src/lib/server/api/middleware/auth.middleware.ts
index 1f02b32..ab80c52 100644
--- a/src/lib/server/api/middleware/auth.middleware.ts
+++ b/src/lib/server/api/middleware/auth.middleware.ts
@@ -1,19 +1,19 @@
 import 'reflect-metadata';
 import {
+	type SessionCookie,
 	cookieExpiresAt,
 	cookieName,
 	createBlankSessionTokenCookie,
 	createSessionTokenCookie,
-	type SessionCookie,
 	setSessionCookie,
 } from '$lib/server/api/common/utils/cookies';
-import {SessionsService} from '$lib/server/api/services/sessions.service';
-import type {MiddlewareHandler} from 'hono';
-import {getCookie} from 'hono/cookie';
-import {createMiddleware} from 'hono/factory';
-import {verifyRequestOrigin} from 'oslo/request';
-import {container} from 'tsyringe';
-import type {AppBindings} from '../common/types/hono';
+import { SessionsService } from '$lib/server/api/services/sessions.service';
+import type { MiddlewareHandler } from 'hono';
+import { getCookie } from 'hono/cookie';
+import { createMiddleware } from 'hono/factory';
+import { verifyRequestOrigin } from 'oslo/request';
+import { container } from 'tsyringe';
+import type { AppBindings } from '../common/types/hono';
 
 // resolve dependencies from the container
 const sessionService = container.resolve(SessionsService);
@@ -34,8 +34,20 @@ export const verifyOrigin: MiddlewareHandler<AppBindings> = createMiddleware(asy
 export const validateAuthSession: MiddlewareHandler<AppBindings> = createMiddleware(async (c, next) => {
 	const sessionId = getCookie(c, cookieName) ?? null;
 	if (!sessionId) {
+		const requestIpAddress = c.req.header('x-real-ip');
+		const requestIpCountry = c.req.header('x-vercel-ip-country');
+		const session = await sessionService.createSession(
+			sessionService.generateSessionToken(),
+			'anonymous',
+			requestIpCountry || 'unknown',
+			requestIpAddress || 'unknown',
+			false,
+			false,
+		);
+		const sessionCookie = createSessionTokenCookie(session.id, cookieExpiresAt);
+		setSessionCookie(c, sessionCookie);
+		c.set('session', session);
 		c.set('user', null);
-		c.set('session', null);
 		return next();
 	}
 
diff --git a/src/lib/server/api/services/sessions.service.ts b/src/lib/server/api/services/sessions.service.ts
index 7f2dbbc..94bb8d2 100644
--- a/src/lib/server/api/services/sessions.service.ts
+++ b/src/lib/server/api/services/sessions.service.ts
@@ -26,7 +26,7 @@ export type Session = {
 	isTwoFactorAuthenticated: boolean;
 };
 
-export type SessionValidationResult = { session: Session; user: Users } | { session: null; user: null } | { session: Session; user: undefined };
+export type SessionValidationResult = { session: Session; user: Users } | { session: null; user: null } | { session: Session; user: null };
 
 @injectable()
 export class SessionsService {
@@ -97,7 +97,7 @@ export class SessionsService {
 			isTwoFactorAuthenticated: result.is_two_factor_authenticated,
 		};
 		let user: Users | undefined = undefined;
-		if (session.userId) {
+		if (session.userId && session.userId !== 'anonymous') {
 			user = await this.usersRepository.findOneById(session.userId);
 		}
 		if (Date.now() >= session.expiresAt.getTime()) {
@@ -126,7 +126,7 @@ export class SessionsService {
 			);
 		}
 
-		return { session, user };
+		return { session, user: user ?? null };
 	}
 
 	async invalidateSession(sessionId: string) {