Yes, you are right, I'm sorry.
The only known possible way to get logged in as different member, is get ahold an active sessionid (for example by visiting a fresh url to the gallery with sessionid attached to it) But even though, you must be on the same IP as the member started the session. So, never give anyone a link with sessionid in it!
So, unless you could reproduce this, there is nothing we could work with...sorry.