How do I implement session aware WEB API on specific controllers?

Keep in mind that working with SessionStateBehavior.Required has quite an impact and only part of your routes actually need write access to the session. The worst thing is that only a single request per user will be processed at once because the session has to be locked.

That being said, there is a way to work with sessions differently depending on the route.

You can use IHttpRoute.DataTokens to add custom fields to your routes. I created a small extension class to set the SessionStateBehavior for each route, individually:

public static class SessionHelper
{
  private static SessionStateBehavior GetSessionStateBehavior(IDictionary<string, object> dataTokens)
  {
    return dataTokens.ContainsKey("SessionStateBehavior") ? (SessionStateBehavior)dataTokens["SessionStateBehavior"] : SessionStateBehavior.Default;
  }

  public static SessionStateBehavior GetSessionStateBehavior(this IHttpRoute route)
  {
    return GetSessionStateBehavior(route.DataTokens);
  }

  public static SessionStateBehavior GetSessionStateBehavior(this RouteData routeData)
  {
    return GetSessionStateBehavior(routeData.DataTokens);
  }

  public static void SetSessionStateBehavior(this IHttpRoute route, SessionStateBehavior behavior)
  {
    route.DataTokens["SessionStateBehavior"] = behavior;
  }

  public static IHttpRoute MapHttpRoute(this HttpRouteCollection routes, string name, string routeTemplate, object defaults, SessionStateBehavior behavior)
  {
    return MapHttpRoute(routes, name, routeTemplate, defaults, null, behavior);
  }

  public static IHttpRoute MapHttpRoute(this HttpRouteCollection routes, string name, string routeTemplate, object defaults, object constraints, SessionStateBehavior behavior)
  {
    var route = routes.CreateRoute(routeTemplate, defaults, constraints);
    SetSessionStateBehavior(route, behavior);
    routes.Add(name, route);

    return route;
  }
}

When setting up your route, you can use the extension to define a specific session state behavior:

config.Routes.MapHttpRoute(
    "DefaultSessionApi",
    "api/{controller}/{id}",
    new { id = RouteParameter.Optional },
    SessionStateBehavior.ReadOnly);

config.Routes.MapHttpRoute(
    "WriteStuffToSession",
    "api/writestufftosession",
    null,
    SessionStateBehavior.Required);

Then, in the PostAuthorizeRequest event, you can parse your route and set the SessionStateBehavior accordingly:

protected void Application_PostAuthorizeRequest()
{
  var context = new HttpContextWrapper(HttpContext.Current);
  var path = context.Request.AppRelativeCurrentExecutionFilePath;
  if (path == null || !path.StartsWith("~/api"))
  {
    return;
  }

  var routeData = RouteTable.Routes.GetRouteData(context);
  if (routeData != null)
  {
    context.SetSessionStateBehavior(routeData.GetSessionStateBehavior());
  }
}