Can you please explain what exactly your tunnel does? If you bridge Coppermine to another application, the user management and authentication is completely dropped by Coppermine. How exactly works your tunnel? Does one application use the other's user database and authentication cookies or will it be cloned in some way?
When a Joomla! user logs in and is in the allowed group(s), the Joomla! system plugin grabs the the user's info, including actual password, and creates an encrypted cookie with these data that has a persistence to match how they logged in. Then, when linking to CPG using the tunnel URL, the tunnel plugin sees the tunnel cookie and decrypts it. If the user does not exist in CPG, the plugin creates the user in the CPG specified group, otherwise it simply logs-in the user. In either case, the plugin then redirects to the main CPG entry point. When the Joomla! user logs out, the tunnel cookie is deleted.
I have done the same thing with myBB for a family site of mine. In the case of myBB (and many other apps, I would presume), without hacking the app, the actual password is not available. In that case, I take the first 10 characters of their password hash to use as a password at CPG. This, of course, means that the user cannot login directly at CPG, but I have yet to see that as a problem.
Thanks for your interest. Have I been clear enough?