If you share a home directory on both machines, and you're using xdm, then the access is based on the .Xauthority file in your homedir. "xauth list" should show the same thing on both systems, if this is the case. (Generally this isn't much better -- it means you're still vulnerable to the "magic cookie" being sniffed as it goes over the net, but other users on the remote host can't connect as they could if you'd used xhost...)
As for rlogin: no bug, it's just that rlogin has no mechanism to pass environment variables (and there's no way to extend the protocol portably, rlogin is doomed, use telnet :-)