Why do you need sessions? Is it for Authentication and Authorization reasons? If so I would use http basic with SSL or digest. As such there is no start or end session, because http is stateless and security headers are sent on each request.
Suggestion of upload resource would be to directly map as private filesystem
# returns all files and subdirs of root dir
GET /{userId}/files
GET /{userId}/files/file1
GET /{userId}/files/dir1
# create or update file
PUT /{userId}/files/file2
When uploading file content you then would use multipart content type.
Revised answer after comment
I would design your wanted separation of file-content and payload by introducing link (to file-content) inside upload payload. It eases resource structure.
Representation 'upload' resource:
{
"upload-content" : "http://storage.org/2a34cafa" ,
"metadata" : "{ .... }"
}
Resource actions:
# upload file resource
POST /files
-> HTTP 201 CREATED
-> target location is shown by HTTP header 'Location: /files/2a34cafa
# /uploads as naming feels a bit more natural as /files
POST /sessions/{sessionId}/uploads
-> HTTP 201 CREATED
-> HTTP header: 'Location: /sessions/{sessionId}/uploads/1
-> also returning payload
# Updating upload (like metadata)
/PUT/sessions/{sessionId}/uploads/1
