Yes, your example of creating the User and storing it in the session is the way it's usually done with model objects in Spring. Model objects aren't a Spring controlled bean at all - prototype or session - but they are used by these beans.
"User" is a model, so you'd create a "User" class that has all the fields you're interested in - like "loginName", "displayName" - maybe "email", "role", etc. "User" might be a hibernate and/or JPA, etc. annotated/mapped class to handle mapping it to database tables - or may not if you're just using
JDBC. This class would not appear in the Spring configuration as a bean - because Spring isn't handling creation of it - instances get created during program use by the DAO layer (and possibly the web layer - though probably not in this instance).
You would create a "UserDAO" class to handle data access - this could extend SimpleJdbcDaoSupport if you're using JDBC, HibernateDaoSupport if you're using Hibernate, extend nothing but have an injected EntityManagerFactory if you're using JPA, etc. This class handles interactions with the database - so you have methods to find existing "User" instances in the database, create new "User" instances in the database, delete "User" instances from the database, update a "User" instance in the database, etc. This class will create the actual "User" objects - if you're using JDBC, you'll probably have to manually construct and populate the instances yourself in the code, if you're using an ORM tool, it will probably handle actual object creation and population. This class will be in the Spring configuration - as a Singleton.
Above the DAO is the Service layer - this layer has what are usually termed "Business methods" in it - so you might create a "UserService" class and add methods like "login", "logout", "checkPermission", etc. This class will also be in the Spring configuration as a Singleton. This class will use the DAO layer to do any database operations it needs, so you'll need to inject a dependency on the "UserDAO".
Above the Service layer is the Web layer or Presentation layer - this layer deals with interacting with the user - dealing with navigation around the web app, converting
String input from web forms into object representations needed by the code, etc. This layer is a mix of various Controller classes (mapped in the Spring configuration as Singletons) and JSPs the Controllers use as Views. In some cases your Web layer Controllers may also create instances of your model classes - probably not in the case of User, you'll just take the login and password as Strings and pass them to the service layers "login" method to get back a User object - but in cases it makes sense for a new object to be constructed when a form is submitted. Depending on the controller class you use, this may happen automatically or you may have to call the constructor manually in your code.