Skip to main content

Unit Testing HttpContext.Current.Session in MVC3 .NET

We recently changed some functionality where during the "CREATE" process, we go through a wizard to save application data. This data is saved only to the session in the final step when the user clicks the final submit.

This was easy enough to implement but when I started writing unit tests for my static methods that Add, Update, Delete or Modify the contents of our application data in the session, I got the following error:

System.NullReferenceException: Object reference not set to an instance of an object.

Turns out I had forgotten to setup the HttpContext.

The following "TestInitialise" method fixed my problem :)

public void TestSetup()
// We need to setup the Current HTTP Context as follows:

// Step 1: Setup the HTTP Request
var httpRequest = new HttpRequest("", "http://localhost/", "");

// Step 2: Setup the HTTP Response
var httpResponce = new HttpResponse(new StringWriter());

// Step 3: Setup the Http Context
var httpContext = new HttpContext(httpRequest, httpResponce);
var sessionContainer =
new HttpSessionStateContainer("id",
new SessionStateItemCollection(),
new HttpStaticObjectsCollection(),
httpContext.Items["AspSession"] =
BindingFlags.NonPublic | BindingFlags.Instance,
new[] { typeof(HttpSessionStateContainer) },
.Invoke(new object[] { sessionContainer });

// Step 4: Assign the Context
HttpContext.Current = httpContext;
public void BasicTest_Push_Item_Into_Session()
// Arrange
var itemValue = "RandomItemValue";
var itemKey = "RandomItemKey";

// Act
HttpContext.Current.Session.Add(itemKey, itemValue);

// Assert
Assert.AreEqual(HttpContext.Current.Session[itemKey], itemValue);



  1. Great post man!. made my day today... thank you.

  2. Finally! This was just the post I needed. With all the dozens of posts on StackOverflow, they also forget about HttpContext. This nailed it on the head. Now I can get some actual work done today. :-)

  3. FYI: These are the namespaces I needed ..
    using System.IO;
    using System.Web;
    using System.Web.SessionState;
    using System.Reflection;
    using Microsoft.VisualStudio.TestTools.UnitTesting;

  4. Great ! You really saved my day.
    Thanks a lot.


Post a Comment

Popular posts from this blog

Internet Information Services(IIS) reveals its real or internal IP Address

In the ever changing world of global data communications, inexpensive Internet connections, and fast-paced software development, security is becoming more and more of an issue. Security is now a basic requirement because global computing is inherently insecure.

Keeping that in mind, we recently ran our flagship product through a security audit. It was such a helpful exercise in tying-off any remaining lose ends in our application in terms of application security. 
Based on the security audit report, there was a relatively minor issue that appeared when accessing the /images directory of our application. Turns out that the Location response header of the 301 request returns an Internal IP address. The issue is detailed below.

Issue reportedInternet Information Services (IIS) may reveal its real or internal IP address in the Location header via a request to the /images directory. The value returned whilst pen testing is

The riskInformation regarding internal IP add…

IIS Request Filtering to block HTTP Verbs (For example Trace)

The issueRequest Filtering is a built-in security feature that was introduced in Internet Information Services (IIS) 7.0. This can be used to block specific verbs like "Trace".

When request filtering blocks an HTTP request, IIS 7 will return an HTTP 404 error to the client and log the HTTP status with a unique substatus that identifies the reason that the request was denied. Verb Denied.

HTTP SubstatusDescription404.5URL Sequence Denied404.6Verb Denied404.7File Extension Denied404.8Hidden Namespace404.1Request Header Too Long404.11URL Double Escaped404.12URL Has High Bit Chars404.13Content Length Too Large