Consider requesting a reauthentication for GET requests in the grace period

[TimWolla]

The reauthentication's grace period is meant to improve the UX in cases where a user opens up a form shortly before the soft limit expires and then submits the form after the soft limit is expired: They should not be forced to enter their password and lose their form data in those cases.

This should be a non-issue for GET requests, as they must not be used for data-modifying operations. Requesting the password for a GET request makes the reauthentication timeout a little more predictable, because the grace period only kicks in for POST requests / forms.