i always do a cleaning method for sessions before i use them an example would be
mysql_real_escape_string($_SESSION['username']);
the session only conains the id to the physical file that is stored on the server. how can this session be used client side to do malicious activity? is it then necesarry to clean the session before using it?
You only need to use the mysql_real_escape_string function when you are querying a MySQL database.
When you say ID of the file, do you mean the the variable always contains an integer? If this is so then there is no reason to escape it as it is not a string.
If you do not know for sure what the session variable is going to contain, then you should always escape/sanitize it.
If you read user input from the session, then you have to sanitize it. If the user cannot influence the value (maybe a timestamp), there is no need to check it.
Sanitizing is necessary before you are using the value, e.g. before you output to an html page or before you use the variable in an SQL statement. To write to an HTML form you can use the function htmlspecialchars(), to use the variable for MySql SQL statements use the spezialized function mysql_real_escape_string().