From 3e44e9d3f66eea26500cf0ed58c64f6861167404 Mon Sep 17 00:00:00 2001
From: Jens L <jens@goauthentik.io>
Date: Fri, 5 Jan 2024 19:10:27 +0100
Subject: [PATCH] stages/user_login: only set last_ip in session if a binding
 is given (#8074)

---
 authentik/stages/user_login/middleware.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/authentik/stages/user_login/middleware.py b/authentik/stages/user_login/middleware.py
index 8fea4c408..73e42e1ac 100644
--- a/authentik/stages/user_login/middleware.py
+++ b/authentik/stages/user_login/middleware.py
@@ -109,7 +109,10 @@ class BoundSessionMiddleware(SessionMiddleware):
             self.recheck_session_geo(configured_binding_geo, last_ip, new_ip)
         # If we got to this point without any error being raised, we need to
         # update the last saved IP to the current one
-        request.session[SESSION_KEY_LAST_IP] = new_ip
+        if SESSION_KEY_BINDING_NET in request.session or SESSION_KEY_BINDING_GEO in request.session:
+            # Only set the last IP in the session if there's a binding specified
+            # (== basically requires the user to be logged in)
+            request.session[SESSION_KEY_LAST_IP] = new_ip
         AuthenticatedSession.objects.filter(session_key=request.session.session_key).update(
             last_ip=new_ip, last_user_agent=request.META.get("HTTP_USER_AGENT", "")
         )