What flaws lie behind HttpContext.Current object i .NET?

"don't put session or System.Web into your business layers"

The primary reason for this is because it completely makes unit testing a nightmare. Your business layer is supposed to be completely separate from your web layer, you should be able to take that BLL and put it into a desktop app and have it run fine.

Being as HttpContext.Current is a collection of objects (Request, Response, Session, etc.) and they each have their own sources (Request headers, Response buffer, Session tied to ASP.NET Session ID cookie) that there isn't one universal answer for just the HttpContext.

However, Sessions do have some inherent issues, hijacking and session fixation is one of them, mainly caused by the inability to rotate session IDs on log-in, Micrsoft has declined to fix this, and you'll need to implement security around that (say, Webforms encryption of your session ID on log in is one example I briefly looked into (you'll want to research it more), or as we use, an authentication cookie that is tied to your session that is HTTPS only and rotates when required).

As for items like User and Identity, those depend on your authentication methods, usually handled by Webforms, but if you use a custom one again, security is up to you to use standard practices.