If he has cookies stored for his domain on his PC and already logged in already once with the browser still open from logging in at an earlier time, his session cookie will still be saved and active, which will keep him logged in..
However, the fact it wasn't 'his' account did you say? Is another problem.. Is he sure it isn't his? Or is it a reseller maybe and he's accessing 1 of his clients accounts?
There is also another bug/feature that if any 2 accounts share a password they can see each others accounts. cPanel reported that it was a feature and not a bug even though a *nix system does not perform this function on any platform I have EVER worked on.