Question about 'session' in pam w/rt pam_env.so

[L.A.Walsh]

I was wondering how one is supposed to preserve env variables set when

one initially logs into a system (like the same time loginuuid is set). 
Specifically,
ENV vars 'DISPLAY' and 'REMOTEHOST'.  I use the 2nd to generate the first and
want it to last for the entire time I am logged in.

I have been setting it in pam_env, using a similar example.

Now I find that some see pam_env as a means to set the environment
*per session* -- meaning they call it again during the common-session phase,
in addition to the 'auth' phase.  This has the tendency to overwrite
those variables. 

I'm told that there's no way to prevent this as if the user
clears their env (e.g. 'env -i), and that means it has to be called at the
beginning of each session so it can reset env vars (this despite the fact,
that I know of no one using such functionality, whereas I had been using
it for 'auth' only on initial system entry.

I can see the need for a session-based pam_env to generate a new
user environment (though right now, in my distro, the ENV is set
via shell scripts on initial login).

however, if I leave my distro's defaults in place, my display and remote
host are overwriten when I do a "sudo su" -- to get a new shell as root.

Is there a way to protect those vars, as right now, even though I
specify the -m flag to 'su', it seems not to preserve my env when I
invoke it via sudo. 

So how I can limit pam_env's resetting to save and carry forward
item's like remotehost and DISPLAY -- OR -- should pam_env only
be called during 'auth' and env-init should be left to shell scripting
(or putenv)...

I'm aware of the comment that says the module should be an AUTH
module, but I've been told that was only the initial design and that
the manpage and other docs allow for using it to initialize sessions.

Ideas or suggestions on how to do this would be great.
Thanks!
LW