Nice question, seems like one needs to do some creative thinking here. Consider this (i may be wrong)
Suppose process A which does the authentication and Process B does the authorization.
taking in consideration the IAA(identification, authentication and authorization) principal the programer naturally wants the authentication process to be followed up with authorization and not the other way around. Now, the way authorization works that it is dependent upon some time-based policy more of the same thing in concept in routers where you see it as Policy-Based ACLs.. Here, the time when the authorization process starts is critical as it defines user right to access the application or a resource.
The entire system allows access to object based upon context, so the attacker in that case can retrieve the time related information, probably through social engineering attacks that user (x) is the site administrator and remotely logins in at certain hours of the day. Using this information the attacker he can know either do one of the following :-
- Sniff the traffic
- Brute-force weak passwords policy.
- Find a web-application bug/ (sql injection)
- Using an already compromised server he can perhaps write a script to turn on sniffing when he sees process B in memory.
This scenario perhaps is localized, and is dependent upon environment variable but entirely plausible to your statement regarding what you said could be a security risk or not.