> always going to the database for connecting an opaque session token to an identity can quickly become slow

PHP does this every single request. I’ve never had enough users that this became a significant issue (and you probably don’t either)