diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/HammerHead.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/HammerHead.java
index ddc8896ba..742ef9668 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/HammerHead.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/HammerHead.java	
@@ -24,6 +24,7 @@ import org.owasp.webgoat.session.ErrorScreen;
 import org.owasp.webgoat.session.Screen;
 import org.owasp.webgoat.session.UserTracker;
 import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.session.WebgoatContext;
 
 /*******************************************************************************
  * 
@@ -79,6 +80,12 @@ public class HammerHead extends HttpServlet
      */
     public static String propertiesPath = null;
 
+    /**
+     * provides convenience methods for getting setup information 
+     * from the ServletContext
+     */
+    private WebgoatContext webgoatContext = null;
+    
 
     /**
      * Description of the Method
@@ -289,6 +296,7 @@ public class HammerHead extends HttpServlet
 	httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
 	propertiesPath = getServletContext().getRealPath(
 		"./WEB-INF/webgoat.properties");
+	webgoatContext = new WebgoatContext(this);
     }
 
 
@@ -481,7 +489,7 @@ public class HammerHead extends HttpServlet
 	{
 	    // Create new custom session and save it in the HTTP session
 	    // System.out.println( "HH Creating new WebSession: " );
-	    session = new WebSession(this, context);
+	    session = new WebSession(webgoatContext, context);
 	    hs.setAttribute(WebSession.SESSION, session);
 	    // reset timeout
 	    hs.setMaxInactiveInterval(sessionTimeoutSeconds);
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java
index 45e406024..5479de649 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java	
@@ -68,13 +68,13 @@ public class CommandInjection extends LessonAdapter
     protected Element createContent(WebSession s)
     {
 	ElementContainer ec = new ElementContainer();
-	boolean illegalCommand = s.isDefuseOSCommands();
+	boolean illegalCommand = getWebgoatContext().isDefuseOSCommands();
 	try
 	{
 	    String helpFile = s.getParser().getRawParameter(HELP_FILE,
 		    "BasicAuthentication.help");
 	    String safeDirName;
-	    if (s.isDefuseOSCommands()
+	    if (getWebgoatContext().isDefuseOSCommands()
 		    && (helpFile.indexOf('&') != -1 || helpFile.indexOf(';') != -1))
 	    {
 		int index = helpFile.indexOf('&');
@@ -123,7 +123,7 @@ public class CommandInjection extends LessonAdapter
 		}
 	    }
 
-	    if (s.isDefuseOSCommands() && helpFile.indexOf('&') == -1
+	    if (getWebgoatContext().isDefuseOSCommands() && helpFile.indexOf('&') == -1
 		    && helpFile.indexOf(';') == -1)
 	    {
 		if (helpFile.length() > 0)
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
index 385e2043f..b01158f13 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java	
@@ -81,7 +81,7 @@ public abstract class LessonAdapter extends AbstractLesson
 				+ "In fact, most lessons can be created by following the easy to use instructions in the "
 				+ "<A HREF=http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents>WebGoat User Guide.</A>&nbsp;&nbsp;"
 				+ "If you would prefer, send your lesson ideas to "
-				+ s.getFeedbackAddress()));
+				+ getWebgoatContext().getFeedbackAddress()));
 
 	String fileName = s.getContext().getRealPath(
 		"doc/New Lesson Instructions.txt");
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java
index 0f06543cb..21834abd3 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java	
@@ -102,8 +102,8 @@ public class PathBasedAccessControl extends LessonAdapter
 	    String file = s.getParser().getRawParameter(FILE, "");
 
 	    // defuse file searching
-	    boolean illegalCommand = s.isDefuseOSCommands();
-	    if (s.isDefuseOSCommands())
+	    boolean illegalCommand = getWebgoatContext().isDefuseOSCommands();
+	    if (getWebgoatContext().isDefuseOSCommands())
 	    {
 		// allow them to look at any file in the webgoat hierachy.  Don't allow them
 		// to look about the webgoat root, except to see the LICENSE file
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
index f2c9b4675..7381fd848 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java	
@@ -104,7 +104,7 @@ public class ReportCardScreen extends LessonAdapter
 	ElementContainer ec = new ElementContainer();
 	ec.addElement(new Center(new StringElement(
 		"Comments and suggestions are welcome. "
-			+ s.getFeedbackAddress())));
+			+ getWebgoatContext().getFeedbackAddress())));
 
 	return ec;
     }
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
index 052f5c36a..5e389454f 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java	
@@ -123,29 +123,6 @@ public class WebSession
 	 */
 	public final static String SESSION = "Session";
 
-	/**
-	 * Description of the Field
-	 */
-	public final static String ENTERPRISE = "Enterprise";
-
-	/**
-	 * Description of the Field
-	 */
-	public final static String SHOWCOOKIES = "ShowCookies";
-
-	/**
-	 * Description of the Field
-	 */
-	public final static String SHOWPARAMS = "ShowParams";
-
-	/**
-	 * Description of the Field
-	 */
-	public final static String SHOWREQUEST = "ShowRequest";
-
-	/**
-	 * Description of the Field
-	 */
 	public final static String SHOWSOURCE = "ShowSource";
 	
 	public final static String SHOWHINTS = "ShowHints";
@@ -162,20 +139,7 @@ public class WebSession
 
 	public final static String SHOW_SOURCE = "Source";
 
-	/**
-	 * Description of the Field
-	 */
-	public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
-
-	/**
-	 * Description of the Field
-	 */
-	public final static String FEEDBACK_ADDRESS = "FeedbackAddress";
-
-	/**
-	 * Description of the Field
-	 */
-	public final String DEBUG = "debug";
+	public final static String DEBUG = "debug";
 
 	/**
 	 * Description of the Field
@@ -205,7 +169,6 @@ public class WebSession
 	private boolean isColor = false;
 
 	private boolean isDebug = false;
-
 	private boolean hasHackedHackableAdmin = false;
 
 	private StringBuffer message = new StringBuffer( "" );
@@ -228,12 +191,6 @@ public class WebSession
 
 	private boolean showSource = false;
 
-	private boolean defuseOSCommands = false;
-
-	private boolean enterprise = false;
-
-	private String feedbackAddress = "<A HREF=mailto:webgoat@g2-inc.com>webgoat@g2-inc.com</A>";
-
 	private boolean completedHackableAdmin = false;
 	
 	private int currentMenu;
@@ -244,20 +201,14 @@ public class WebSession
 	 * @param servlet Description of the Parameter
 	 * @param context Description of the Parameter
 	 */
-	public WebSession( HttpServlet servlet, ServletContext context )
+	public WebSession(WebgoatContext webgoatContext, ServletContext context )
 	{
-		webgoatContext = new WebgoatContext(servlet);
+		this.webgoatContext = webgoatContext;
 		// initialize from web.xml
-		showParams = "true".equals( servlet.getInitParameter( SHOWPARAMS ) );
-		showCookies = "true".equals( servlet.getInitParameter( SHOWCOOKIES ) );
-		showSource = "true".equals( servlet.getInitParameter( SHOWSOURCE ) );
-		defuseOSCommands = "true".equals( servlet.getInitParameter( DEFUSEOSCOMMANDS ) );
-		enterprise = "true".equals( servlet.getInitParameter( ENTERPRISE ) );
-		feedbackAddress = servlet.getInitParameter( FEEDBACK_ADDRESS ) != null ? servlet
-				.getInitParameter( FEEDBACK_ADDRESS ) : feedbackAddress;
-		showRequest = "true".equals( servlet.getInitParameter( SHOWREQUEST ) );
-		isDebug = "true".equals( servlet.getInitParameter( DEBUG ) );
-		servletName = servlet.getServletName();
+		showParams = webgoatContext.isShowParams();
+		showCookies = webgoatContext.isShowCookies();
+		showSource = webgoatContext.isShowSource();
+		showRequest = webgoatContext.isShowRequest();
 		this.context = context;
 		course = new Course();
 		course.loadCourses( webgoatContext, context, "/" );
@@ -854,36 +805,6 @@ public class WebSession
 		return ( showSource );
 	}
 
-	/**
-	 * Description of the Method
-	 * 
-	 * @return Description of the Return Value
-	 */
-	public boolean isDefuseOSCommands()
-	{
-		return ( defuseOSCommands );
-	}
-
-	/**
-	 * Description of the Method
-	 * 
-	 * @return Description of the Return Value
-	 */
-	public boolean isEnterprise()
-	{
-		return ( enterprise );
-	}
-
-	/**
-	 * Description of the Method
-	 * 
-	 * @return Description of the Return Value
-	 */
-	public String getFeedbackAddress()
-	{
-		return ( feedbackAddress );
-	}
-
 	/**
 	 * Gets the userName attribute of the WebSession object
 	 * 
@@ -976,7 +897,7 @@ public class WebSession
 		// clear variables when switching screens
 		if ( this.getCurrentScreen() != this.getPreviousScreen() )
 		{
-			if ( isDebug )
+			if ( webgoatContext.isDebug() )
 			{
 				setMessage( "Changed to a new screen, clearing cookies and hints" );
 			}
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java
index b149f9c60..df7e95d12 100755
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java	
@@ -4,8 +4,6 @@ import java.sql.Connection;
 
 import javax.servlet.http.HttpServlet;
 
-import org.owasp.webgoat.lessons.admin.RefreshDBScreen;
-
 public class WebgoatContext {
 
 	public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString";
@@ -16,6 +14,24 @@ public class WebgoatContext {
 
 	public final static String DATABASE_PASSWORD = "DatabasePassword";
 
+	public final static String ENTERPRISE = "Enterprise";
+
+	public final static String SHOWCOOKIES = "ShowCookies";
+
+	public final static String SHOWPARAMS = "ShowParams";
+
+	public final static String SHOWREQUEST = "ShowRequest";
+
+	public final static String SHOWSOURCE = "ShowSource";
+	
+	public final static String SHOWHINTS = "ShowHints";
+
+	public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
+
+	public final static String FEEDBACK_ADDRESS = "FeedbackAddress";
+
+	public final static String DEBUG = "debug";
+
 	private static boolean databaseBuilt = false;
 	
 	private String databaseConnectionString;
@@ -28,6 +44,24 @@ public class WebgoatContext {
 
 	private String databasePassword;
 
+	private boolean showCookies = false;
+
+	private boolean showParams = false;
+
+	private boolean showRequest = false;
+
+	private boolean showSource = false;
+
+	private boolean defuseOSCommands = false;
+
+	private boolean enterprise = false;
+
+	private String feedbackAddress = "<A HREF=mailto:webgoat@g2-inc.com>webgoat@g2-inc.com</A>";
+
+	private boolean isDebug = false;
+
+	private String servletName;
+
 	private HttpServlet servlet;
 
 	public WebgoatContext(HttpServlet servlet) {
@@ -38,6 +72,18 @@ public class WebgoatContext {
 		databaseUser = servlet.getInitParameter(DATABASE_USER);
 		databasePassword = servlet.getInitParameter(DATABASE_PASSWORD);
 		
+		// initialize from web.xml
+		showParams = "true".equals( servlet.getInitParameter( SHOWPARAMS ) );
+		showCookies = "true".equals( servlet.getInitParameter( SHOWCOOKIES ) );
+		showSource = "true".equals( servlet.getInitParameter( SHOWSOURCE ) );
+		defuseOSCommands = "true".equals( servlet.getInitParameter( DEFUSEOSCOMMANDS ) );
+		enterprise = "true".equals( servlet.getInitParameter( ENTERPRISE ) );
+		feedbackAddress = servlet.getInitParameter( FEEDBACK_ADDRESS ) != null ? servlet
+				.getInitParameter( FEEDBACK_ADDRESS ) : feedbackAddress;
+		showRequest = "true".equals( servlet.getInitParameter( SHOWREQUEST ) );
+		isDebug = "true".equals( servlet.getInitParameter( DEBUG ) );
+		servletName = servlet.getServletName();
+		
 		// FIXME: need to solve concurrency problem here -- make tables for this user
 		if ( !databaseBuilt ) {
 			try {
@@ -103,4 +149,40 @@ public class WebgoatContext {
 		return (databasePassword);
 	}
 
+	public boolean isDefuseOSCommands() {
+		return defuseOSCommands;
+	}
+
+	public boolean isEnterprise() {
+		return enterprise;
+	}
+
+	public String getFeedbackAddress() {
+		return feedbackAddress;
+	}
+
+	public boolean isDebug() {
+		return isDebug;
+	}
+
+	public String getServletName() {
+		return servletName;
+	}
+
+	public boolean isShowCookies() {
+		return showCookies;
+	}
+
+	public boolean isShowParams() {
+		return showParams;
+	}
+
+	public boolean isShowRequest() {
+		return showRequest;
+	}
+
+	public boolean isShowSource() {
+		return showSource;
+	}
+
 }