Sudo is a beautiful thing. But, like any powerful tool, it must be used wisely.
I find it most useful to wrap specific tasks (in Perl, naturally) with taint-safe code that restricts what can be done. Then, you grant sudo access only to that script -- not the system utilities it invokes. Since you're running through a web server, sudo access must be granted to the account under which that web server runs, not the account under which the user has been authenticated.
As far as authentication goes, I don't think you need to do it more than once -- if the user as originally authenticated had a role with additional privileges, he or she can do the advanced tasks. If not, access denied. That said, you might want to include a confirmation dialog for tasks that are somewhat risky -- like rebooting a production server.