I understand now what the problem is, but still have no solution in mind. Please restore to the previous version of bb_cookie.php, revert changes you've made which I provided in my previous post. It won't work.
I could tell you the secret that such thing may be available in almost every software we have on the market, including the famous WordPress :-) I've just tested it in WordPress and it works the same way, i.e. it's possible to provide an image URL containing wp-login.php?action=logout
and it will log-out everybody.
I have also seen one that is an html form instead of a link and it changed my profile signature.
It would be good to see such example too...
I think CSRF may be provided only through the code which points to something external. Image tag is the most often case. For being completely safe, you can disable [img]/[imgs] tags removing them from bb_codes.php. So far it's the only one solution I see. I will think about it during today and post here if I find something else.