We have a config setting, MaxLongestTicketReissueIntervalSeconds, that is designed to provide very tight security and we believe addresses this issue in most (if not all) situations.  MaxLongestTicketReissueIntervalSeconds will govern the longest period of inactivity since last login that is permissible to be able to perform an action.  It's set to 36000 seconds (10 hours) by default, so set this to something like 300 seconds (5 minutes) or less in order to provide the security you're seeking.  The benefit here is that it's not going to reprompt you upon joining each session as long as you've stayed active within the application.  And it will protect you from unauthorized actions in the web UI such as sending commands (which are potentially more damaging than anything you can do inside a session).

FYI, you'll also have to change TicketReissueIntervalSeconds from the default of 600 seconds (10 minutes) to something less than your MaxLongestTicketReissueIntervalSeconds so that your session is continually extended while you're active in the application.