In general, I am under the impression that creating a new jcr session takes too long. From the HST it takes about 25 ms. For security delegate sessions it takes on average about 50 ms.
Apart from this, a jcr session login results in a search through AbstractGroupManager#getMembershipIds(String userId)
This seems needless expensive to me (although most of the time a query is fast, it is blocking). Just cache the memberships for a userId imo, and flush the cache on changes in the security domains