Even if you turn off cookies, the session ID will be provided in the URL itself if you are doing something like making profile changes. Despite having the ID, it cant be used to impersonate a given user as the ID has to match the session itself. You are describing a CSRF attack which SMF does a pretty good job of defending against.