This is becoming common practice. A base level of common features are available to a normal login session with particularly sensitive operations requiring re-authentication.
It seems that this really only defends against idle session hijacking, though. If the attacker is in a position to ride on whatever session they want, they'll just wait for an "elevated" session.
The classic sudo-esque escalation model can be configured to only allow sudo sessions within terminals, so doing one sudo doesn't suddenly allow the entire system "sudo" access. If it did, a malicious program could just sit and hit the priviledged operation with "sudo" until they got let in. The web's "sudo" is essentially this, because all authentication sessions go over HTTP and you can't really sandbox the source as nicely.
[edit] (HN had a funny hiccup there. Anyway...)
It would be interesting if we could get the same thing on the web. Perhaps some new type of cookie is considered "temporary, ultra-safe" by the browser and never written to disk, auto-cleared after X time, only transfered over HTTPS, etc.
A basic security system should automatically revoke any session that repeatedly attempts and fails to get past this secondary authentication. So the attacker would have to know in advance that you had recently freshed your session.
It seems that this really only defends against idle session hijacking, though. If the attacker is in a position to ride on whatever session they want, they'll just wait for an "elevated" session.
The classic sudo-esque escalation model can be configured to only allow sudo sessions within terminals, so doing one sudo doesn't suddenly allow the entire system "sudo" access. If it did, a malicious program could just sit and hit the priviledged operation with "sudo" until they got let in. The web's "sudo" is essentially this, because all authentication sessions go over HTTP and you can't really sandbox the source as nicely.
[edit] (HN had a funny hiccup there. Anyway...)
It would be interesting if we could get the same thing on the web. Perhaps some new type of cookie is considered "temporary, ultra-safe" by the browser and never written to disk, auto-cleared after X time, only transfered over HTTPS, etc.