1) I'm not aware of anything, but that doesn't mean much.
2) Perhaps the web application could pass this additional information about the end user in when the user starts using the applications using sp_addauditrecord. The records generated by that spid could then be mapped to that user until the next sp_addauditrecord entry.