chie: Ok. That's kinda iffy, then, because there isn't too much you can do pre-authentication. Post-auth, you can impose restrictions as velope suggested, but that won't help a whole lot if the authentication part is ressource-intensive.
(Though if it is, there is probably a problem somewhere ...)