yeah, that is pretty much the case.
On the malicious side one can simply steal cookies and verify him as logged in. Ofc the victim has to click on that specialized url. This gets worse, for example if an admin/mod clicks on a crafted link his cookies might get stolen and the attacker gets admin/mod access.
ofcourse he won't be able to change any forum setting or so since SMF asks to re enter password on sensitive operation.
This method does not work on Chromium based browser fortunately.