Auto-Login on port 8096?

[philby 3]

Well, that was a bit scary right now.

 

Had Emby running on my Synology, and decided to create a web app for it using Fluid.

The URL for this fluid instance is my Synology dynDNS address, with the 8096 port at the end.

 

I was a bit surprised when the web app immediately logged itself in, with no entry whatsoever needed or even possible, from my side – it doesn't share cookies with Safari (where I'm logged in).

 

So I open the same dynDNS URL with Firefox: immediate login as admin with full rights over everything.

 

So maybe it's because I'm in the same network, and Emby somehow checks IPs? Open the VPN, get a US-based IP, open the URL again in another browser: bingo, auto-login.

 

I then try this with Safari on my iPhone while in the same WLAN: autologin.

I turn off WLAN and switch to Firefox on the Phone: you guessed it, autologin.

 

I even open my wife's laptop, enter the link: autologin.

 

Seems to me anyone who opens this URL from anywhere in the world has immediate admin access to all my Emby contents.    

 

That can't be how it's supposed to work. Where do I switch this off in Emby?

[Luke 37096]

Hi, just give your emby user a password.

 

If there is only one single emby user, and if that user doesn't have a password, then it will log you straight in because at that point it's nothing more than an extra click.

[philby 3]

Ahhh... coming over from Plex, I thought entering my Emby connect data would secure the account. Beginner error.

[Luke 37096]

The difference is your server is only tied to your cloud Emby Connect account if you want it to be. That makes user management much more flexible but you do have to manage what users can access and how they can access it.