Session-scoped beans (using scope="session") is the cleanest approach. This removes the need to interact with the session yourself.
If you want to autowire a session-scoped bean in to the controller, you either need to make the controller session-scoped itself, or use a scoped-proxy to wire it into a singleton controller, as described here. Either approach is valid.