diff --git a/resources/celerity/map.php b/resources/celerity/map.php
--- a/resources/celerity/map.php
+++ b/resources/celerity/map.php
@@ -469,7 +469,7 @@
     'rsrc/js/core/behavior-form.js' => '5c54cbf3',
     'rsrc/js/core/behavior-gesture.js' => '3ab51e2c',
     'rsrc/js/core/behavior-global-drag-and-drop.js' => '3f6075ff',
-    'rsrc/js/core/behavior-high-security-warning.js' => '8fc1c918',
+    'rsrc/js/core/behavior-high-security-warning.js' => 'a464fe03',
     'rsrc/js/core/behavior-history-install.js' => '7ee2b591',
     'rsrc/js/core/behavior-hovercard.js' => 'f36e01af',
     'rsrc/js/core/behavior-keyboard-pager.js' => 'a8da01f0',
@@ -595,7 +595,7 @@
     'javelin-behavior-fancy-datepicker' => 'c51ae228',
     'javelin-behavior-global-drag-and-drop' => '3f6075ff',
     'javelin-behavior-herald-rule-editor' => '7ebaeed3',
-    'javelin-behavior-high-security-warning' => '8fc1c918',
+    'javelin-behavior-high-security-warning' => 'a464fe03',
     'javelin-behavior-history-install' => '7ee2b591',
     'javelin-behavior-icon-composer' => '8ef9ab58',
     'javelin-behavior-launch-icon-composer' => '48086888',
@@ -1526,11 +1526,6 @@
       'javelin-dom',
       'javelin-stratcom',
     ),
-    '8fc1c918' => array(
-      'javelin-behavior',
-      'javelin-uri',
-      'phabricator-notification',
-    ),
     '9007c197' => array(
       'javelin-behavior',
       'javelin-dom',
@@ -1639,6 +1634,11 @@
       'javelin-vector',
       'javelin-install',
     ),
+    'a464fe03' => array(
+      'javelin-behavior',
+      'javelin-uri',
+      'phabricator-notification',
+    ),
     'a80d0378' => array(
       'javelin-behavior',
       'javelin-stratcom',
diff --git a/src/aphront/AphrontRequest.php b/src/aphront/AphrontRequest.php
--- a/src/aphront/AphrontRequest.php
+++ b/src/aphront/AphrontRequest.php
@@ -539,8 +539,9 @@
    *
    * @return  dict<string, string>  Original request parameters.
    */
-  public function getPassthroughRequestParameters() {
-    return self::flattenData($this->getPassthroughRequestData());
+  public function getPassthroughRequestParameters($include_quicksand = false) {
+    return self::flattenData(
+      $this->getPassthroughRequestData($include_quicksand));
   }
 
   /**
@@ -548,11 +549,14 @@
    *
    * @return dict<string, wild> Request data, with magic filtered out.
    */
-  public function getPassthroughRequestData() {
+  public function getPassthroughRequestData($include_quicksand = false) {
     $data = $this->getRequestData();
 
     // Remove magic parameters like __dialog__ and __ajax__.
     foreach ($data as $key => $value) {
+      if ($include_quicksand && $key == self::TYPE_QUICKSAND) {
+        continue;
+      }
       if (!strncmp($key, '__', 2)) {
         unset($data[$key]);
       }
diff --git a/src/aphront/configuration/AphrontDefaultApplicationConfiguration.php b/src/aphront/configuration/AphrontDefaultApplicationConfiguration.php
--- a/src/aphront/configuration/AphrontDefaultApplicationConfiguration.php
+++ b/src/aphront/configuration/AphrontDefaultApplicationConfiguration.php
@@ -135,7 +135,9 @@
         ->addCancelButton($ex->getCancelURI())
         ->addSubmitButton(pht('Enter High Security'));
 
-      foreach ($request->getPassthroughRequestParameters() as $key => $value) {
+      $request_parameters = $request->getPassthroughRequestParameters(
+        $respect_quicksand = true);
+      foreach ($request_parameters as $key => $value) {
         $dialog->addHiddenInput($key, $value);
       }
 
diff --git a/src/view/page/PhabricatorStandardPageView.php b/src/view/page/PhabricatorStandardPageView.php
--- a/src/view/page/PhabricatorStandardPageView.php
+++ b/src/view/page/PhabricatorStandardPageView.php
@@ -215,21 +215,9 @@
 
     Javelin::initBehavior('device');
 
-    if ($user->hasSession()) {
-      $hisec = ($user->getSession()->getHighSecurityUntil() - time());
-      if ($hisec > 0) {
-        $remaining_time = phutil_format_relative_time($hisec);
-        Javelin::initBehavior(
-          'high-security-warning',
-          array(
-            'uri' => '/auth/session/downgrade/',
-            'message' => pht(
-              'Your session is in high security mode. When you '.
-              'finish using it, click here to leave.',
-              $remaining_time),
-          ));
-      }
-    }
+    Javelin::initBehavior(
+      'high-security-warning',
+      $this->getHighSecurityWarningConfig());
 
     if ($console) {
       require_celerity_resource('aphront-dark-console-css');
@@ -547,6 +535,26 @@
     );
   }
 
+  private function getHighSecurityWarningConfig() {
+    $user = $this->getRequest()->getUser();
+
+    $show = false;
+    if ($user->hasSession()) {
+      $hisec = ($user->getSession()->getHighSecurityUntil() - time());
+      if ($hisec > 0) {
+        $show = true;
+      }
+    }
+
+    return array(
+      'show' => $show,
+      'uri' => '/auth/session/downgrade/',
+      'message' => pht(
+        'Your session is in high security mode. When you '.
+        'finish using it, click here to leave.'),
+        );
+  }
+
   private function renderFooter() {
     if (!$this->getShowChrome()) {
       return null;
@@ -628,6 +636,8 @@
           $controller);
     }
 
+    $hisec_warning_config = $this->getHighSecurityWarningConfig();
+
     $console_config = null;
     $console = $this->getConsole();
     if ($console) {
@@ -641,6 +651,7 @@
       ),
       'globalDragAndDrop' => $controller->isGlobalDragAndDropUploadEnabled(),
       'aphlictDropdowns' => $rendered_dropdowns,
+      'hisecWarningConfig' => $hisec_warning_config,
       'consoleConfig' => $console_config,
     ) + $this->buildAphlictListenConfigData();
   }
diff --git a/webroot/rsrc/js/core/behavior-high-security-warning.js b/webroot/rsrc/js/core/behavior-high-security-warning.js
--- a/webroot/rsrc/js/core/behavior-high-security-warning.js
+++ b/webroot/rsrc/js/core/behavior-high-security-warning.js
@@ -5,15 +5,42 @@
  *           phabricator-notification
  */
 
-JX.behavior('high-security-warning', function(config) {
+JX.behavior('high-security-warning', function(config, statics) {
 
-  var n = new JX.Notification()
-    .setContent(config.message)
-    .setDuration(0)
-    .alterClassName('jx-notification-security', true);
+  function show_warning(message, uri) {
+    var n = new JX.Notification()
+      .setContent(message)
+      .setDuration(0)
+      .alterClassName('jx-notification-security', true);
 
-  n.listen('activate', function() { JX.$U(config.uri).go(); });
+    n.listen(
+      'activate',
+      function() {
+        statics.showing = false;
+        JX.$U(uri).go();
+      });
 
-  n.show();
+    n.show();
+    statics.showing = true;
+  }
 
+  if (statics.showing) {
+    return;
+  }
+
+  if (config.show) {
+    show_warning(config.message, config.uri);
+  }
+
+  JX.Stratcom.listen(
+    'quicksand-redraw',
+    null,
+    function (e) {
+      var new_data = e.getData().newResponse.hisecWarningConfig;
+
+      if (!new_data.fromServer || !new_data.show || statics.showing) {
+        return;
+      }
+      show_warning(new_data.message, new_data.uri);
+    });
 });