I have a managed user for whom I want to revoke access to my server. I have removed their devices under Authorized Devices and changed my Plex account password. Despite this, their account will still show up streaming media to a device that I specifically removed from Authorized Devices. It’s as though their access token is still being treated as valid by Plex.
I’ve tested this with some of my own players, too. I removed my iPhone which caused the app to prompt me to log in next time I opened it. I removed my mac, but can still stream from the mac app without having to log in again. My mac does not appear under Authorized Devices, yet it can still stream.
This seems like a pretty massive security problem as access revocation doesn’t really seem to work with any reliability. Am I missing something?
This is an old managed non-admin account from when they were in the same house. I’ve moved users who no longer live with me to their own Plex accounts and shared library access with them, but this one user refuses to logout on their PS5, so I have to force their hand.
I could add a PIN to each user, sure, but it adds an annoying inconvenience. It also still doesn’t address the fact that there is no reliable way to deauthorize a session, which seems like a MASSIVE security issue.
