I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again.
So can the client itself send money if the wallet is unlocked? Without that additional check?
The server (the java process) stores the user secret phrase for as long as your account is unlocked. But there is no API request that you can make to force it to use that phrase for sending money, unless you also send the secret phrase in the request again.
The client (the browser) does not store the secret phrase. Before 0.4.8, when doing send money from the browser, it would identify itself to the server using a random session id generated by javascript. I didn't like that and this is why I removed that possibility and added the requirement for secret phrase on the send money dialog too.