I would avoid having a dependency on the static HttpContext. My preferred strategy would be to extract the information from the session in the controller and pass it as parameters (or set as properties) on your data access layer/repository. If you feel that you must use the Session directly, then I would provide it to the DAL/repository in the same manner -- as a property or as a parameter. Note, however, that you are increasing the coupling between your DAL/repository and the controller. This will make it much more difficult to re-use in a non-web setting, i.e., you'd have to create a fake session just to interact with the DAL/repository if you ever needed to work with it from a windows service or console app, for example.