If I had to do this, I’d use my own cookie to determine login and only load WordPress to check when necessary.
The wordpress_logged_in_{some-hash} cookie can be used to determine the user, and WordPress uses it to determine same. You can’t easily reimplement that, but you can use it without loading WordPress on multiple requests.
For example, here’s my cookie hash (completely made up data, but realistic):
key: wordpress_logged_in_1234567890abcdef1234567890abcdef
value: admin|1234567890|abcdef1234567890abcdef1234567890
The way WordPress knows how that cookie is valid is irrelevant, all you need to know is whether it’s valid one time, then you sign it with a secret.
So, first time, the user isn’t proven yet. You load wp-load.php and WP validates the cookie and logs the user in. You now do whatever you do to prove to yourself that the user has been logged in, then you set your own cookie. The key can be anything custom to you, the value you make into a message digest with a secret key using the hash_hmac function.
$key = ... // the key from the WP cookie
$value = ... // the value from the WP cookie
$hash = hash_hmac ( 'md5' , $key.$value , 'some secret key' );
You’ll get back gibberish, which you send back to them using setcookie(). On future requests, they’ll send this cookie back to you. You can check that first and validate it using the same hash function and secret key.
Only you can generate the hash because only you know the secret key. So if they send back a valid hash that also matches what they send for their WP cookie, then you know they’ve been validated with WP, through your code, before, and you can get the username right from that value (it’s the first part of the cookie, obviously). Then you don’t have to load WP.
The secret key, BTW, should be long and random. Not a short password. Not a dictionary word. Just large nonsensical gibberish. Line noise, and lots of it. Example key:
'GHY5hFNqq4Ntdu=3:SUp8#/+_W!- @@^@xslN*L|N+Vn;(1xo8jNyp,au$v9Ki5*'