The code that verifies if an IP is on an (anonymous) whitelist is duplicated. That code should be centralized, similar to its non-anonymous cousin in LocalClientSession.