Not sure what the, "Best," way to associate artefacts with sessions is,
but a key question is: how secure do you want it?

I have a servlet which instantiates a Session based on a name and
password entered by the user. I then insert this name/password
combination in the HTTP sent back to the user, and map the name/password
to the session in the servlet.

When the user enters more input, the name/password are sent as fields to
the servlet, which then finds the appropriate Session to process the input.

This is, of course, unsecure.

As for creating files for a particular session, simplest is to create
the filename with a counter which is stepped per session instantiation,
and store this name in the Session itself, thus the correct files are
accessible via the name/password-Session mapping for each session access.

Finally, on servlet initialisation I create a watchdog thread that wakes
up every five minutes and examines every active Session (each session
records the time of its last access). Any session that hasn't been
touched in five minutes is presumed abandoned and so destroyed. In your
case, the Session itself will be told to kill itself, and it can delete
its files.

Store all the File references in an object that implements
HttpSessionBindingListener and keep only that reference in the
session - when the session is invalidated for any reason, the
valueUnbound method will be called and you can proceed with
cleanup.

Bill