After thinking about it and writing some code I came up with these package parameters
Allow a user to sudo forever: f
Referer must match this regexp: ""
IP must match this regexp: ""
Number of seconds until login required: 300
Extend timeout on every match: t
Allow ip address to change during session: f
Logout on a non match: t
Don't require a login just warn: t
The defaults mean that the first time you visit a protected page you are warned. As long as you access protected pages (and only protected pages) at least once every 5 minutes sudo is transparent. If you visit a non protected page you are warned again. I've got the default path mostly working. I'll post some code tomorrow.