Then for unauthorized users, store kittens in local sessions, and when it creates an account, transfer all that staff to DB and delete it from the browser.
Yes, you better store kittens inside the User.
If you store users inside the kittens - imagine that you deleted the user. What happens next? Your kittens will remain with a relationship to an inexistent user, and you should search in ALL kittens to find if it has that user and delete its relation
If you store kittens inside the users - then you just delete the user and the story finished here.