I think this is due to the fact that the session cookie has expired but the user cookie hasn't. So when you visit back the site the user cookie is still valid, but the session one isn't so you are asked to login again. This is on *any* page that requires a permission check.
It should be changed that the user is only required to enter his password if the public does not have read access. If the user has more functionality on the page when logged in, he would realize that and login, doesn't he?
It requires a TIP anyway, but maybe people can post their opinion about this? I usually get annoyed when I have to login to cognovis.de just to view our developer pages, even if I do not want to edit them.
Personally I could envision the following change. Add a user cookie lifetime parameter to acs-kernel which allows you to expire the user cookie as well. If someone wants the current behavior, just leave it at "0" which is the default. If someone wants the user to expire when the session does, set the lifetime to the amount of the session.
Makes sense ?