Hi,
i found a bigger security issue with login to plex.
On a new Device, if you login first with your E-Mail-Address and Password, then there are no cookies set, therefore it logs you in as admin-profile. You not to type in your PIN for the profile.
This should be checked and fixed asap.
Kind regards.
This is by design.
Managed users cannot sign into a new device by themselves – they need the admin of the Plex Home to sign into the device. Only then can you switch the user and change to their profile.
You should not share your credentials with managed users (or any other users for what it’s worth).
Hi, the problem is not that the login is with the admin-profile, the problem is that without cookies the first login attempt / or deleting cookies lead automatically into Admin-Permission which can´t be wanted by design.
I might be missing something 
If I open the web app in a private window (no cookies), Plex won’t recognize my previously signed in account and ask me to login.
I can’t see it automatically signing in as the admin?!
i meant, sign in … then normally with cookies appears the page with the profiles, where you have to select your profile and type in the pin.
this isn´t the case if cookies are deleted or not there.
If you delete the cookies… are you still signed in as the admin?
Yes,
and as i said, if i relogin with email and password, i automatically are in with admin-profile, no profile pin, nothing. after reload then the profile page where i have to choose the profile and type in the pin appears.
As i said, thats a big security issue. A hacker is with the first login without cookie directly admin and can do anything he wants.
If there’s no cookies, the web app won’t remember who you are and won’t authenticate you as admin (or anyone, actually).
Sorry, if I’m thick… I have a feeling I’m missing something you’re trying to tell me. Maybe something about the part where I perceive you mean to delete cookies after you’re signed in with the admin account (but before switching users)???
Yes; that’s by design and as described above.
Or if you opt to switch users. That’s expected / by design.
This is where you lost me.
So you want to tell me that, if i login on another notebook, browser, etc. it is ok on an longer existing Plex Media Server that at first login the not appearance of the profile-selection is ok by design ?
sounds weird for me, but ok
That’s exactly what I wrote in my first response.
The first login on a “new” device can only be done by the admin. The admin might do some config to the app (e.g. enabling Automatically sign in if they want that device to be used exclusively by one of their managed users).
A managed user can’t just login with their device (given they don’t have a password).
The need the admin to login first and then to switch users.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
