Today, my friend discovered that if you send someone a link, it automatically logs them in as you.

Is there any way to stop that besides logging out and then sending them the link?

Hmm... I think it might have to do with the fact that you don't use cookies. Anyone that doesn't use cookies will have something like s=93fd3r53fds323432 in the url when they're browsing the board. Those numbers are your "session hash", which it uses to keep you logged in. I'll see what I can do to try and keep that from happening, but it may be something in vBulletin that can't be controlled... Actually, I just found a post on vBulletin's website about a similar situation. According to them, it should usually happen if someone is on the same proxy as you, and it says they may be logged in as you when they visit that page, but if they go to any other pages then they shouldn't still be logged in. I'll try testing a few things just to make sure, but from reading through that thread it doesn't look like it could actually pose a security risk... In the mean time though, you could either turn cookies on in your user cp, or just be sure if you're sending someone a link that you don't include the session hash with the link if you're worried about it.

Here's a couple of posts on the issue from the developers as well...
Most reports of this have been that they find themselves being recognized as someone else, but once they click they are no longer seen as that user. Meaning, it's a case of one cached page being served and once a click is made a fresh page is pulled from the remote web server.
The user is only seeing cached pages. They will not be able to perform any action as you that requires server-side processing, such as posting a message.

Viewing cached pages is a problem for ANY web-based system, it's not something we can fix, because all we can do is process data on the server. When an ISP serves a cached page, the server is not involved.

Well I did a little testing and the people that posted those answers that I copied have no idea what they're talking about. I turned off cookies on a test account and copied the link with the session hash. Then I closed the window, cleared out everything, and used the link to go to the message board. I was logged in, able to post, edit my profile, and all that good stuff without logging in. I posted a message on their support forums and they basically said it's not fixable (which isn't true since I know other programs that use sessions without a problem like that). I seriously doubt there's much I can do about it though if they don't even know how to fix it since I'm sure they know a hell of a lot more about PHP than I do. At least the problem only happens when you're not using cookies and when somebody is behind the same proxy as you. For now I guess the best solution is to either turn cookies on, or just be sure to delete a letter or two out of your session hash if you send somebody at work a link.
Here were the replies I got on vBulletin's support form incase you wanted to see as well...
I believe what we've always said is that the way to deal with situations like this (users behind the same proxy) is to force cookie use.
if you are set note to use cookies then your session hash is basically your password. A check on IP and user agent is done so if they come from the same IP and they have a valid hash and the same user agent then they will be logged in. There is no way to uniquely identify a computer if the user is not willing to accept cookies.
If they're not happy about it, tell them to either use cookies or stfu (that's what I told my users, because they're freaking stupid and don't understand ANYTHING about php, and just think it can do anything, including identify them without cookies.)

Would it be possible to check an ip against the session hash each page?

A check on IP and user agent is done so if they come from the same IP and they have a valid hash and the same user agent then they will be logged in.

Yes, it already does that. That's why it will work if someone is on the same proxy as you (ex - Delia at work), but if she sent me a link at home it wouldn't log me in as her.
Also, if you log out your session will no longer be valid and you get a new session each time you log in.

Cool, thanks :)

you should set the default option when signing up to browse forum with cookies... unless it already is. but yeah, it would make sense about the same proxy IP (mindspring's proxy) and session hash...

otto