Make sure every login is unique, and to make is easier make sure each login only contains characters which are allowed in a valid file name.
I know, like jemz or Cups
then when they upload their image, name it after their user name.
"Hi there jemz, here is your picture "
if( !isset($_SESSION['username']) )
// send away to login
$username = $_SESSION['username'];
// do some kind of data cleansing here
// disallowing directory traversal attacks
// being aware a clever user could add dots and slashes
// to their original user name
echo "Hi there $username,";
// make sure the file exists
if( file_exists('/user-images/' . $username. '.jpg'))
echo ' here is your picture <img src="/user-images/' . $username . 'jpg" />';
This is just an incredibly simplified example of how you could go about things ie username === image name plus .jpg, but you have to be very very careful to defend against simple attacks - as my comments hopefully show, I have no idea how clean or "tamper-able" the data getting to your SESSION is.