.Net core 3.1 MVC site gives a http 403 error

Question

I have a web site which is written with c# and .net core 3.1 MVC. for this site I have enabled SSL and role based authentication and it is hosted on some hosting provider. When I try to access the site it some times gives me a http 403 forbidden: access denied error. but if I clear the cookies of my browser and refresh the page I can access it without problem. Also I am having this problem when I try to access public (controller that dont have authorize attribute). Can anyone help me about it? Thanks a lot.

My ConfigureServices method in Startup.cs file:

public void ConfigureServices(IServiceCollection services)
        {
            services.Configure<IISServerOptions>(options => { options.AutomaticAuthentication = false; });

            services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlServer(
                    Configuration.GetConnectionString("DefaultConnection")));
            services.AddIdentity<IdentityUser, IdentityRole>()
                .AddEntityFrameworkStores<ApplicationDbContext>()
                .AddDefaultTokenProviders();

            services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme;
                options.DefaultChallengeScheme = IdentityConstants.ApplicationScheme;
                options.DefaultSignInScheme = IdentityConstants.ExternalScheme;
            });

            services.AddScoped<IDbInitializer, DbInitializer>();

            services.AddControllersWithViews();
            services.AddRazorPages();

            services.ConfigureApplicationCookie(options =>
            {
                options.ExpireTimeSpan = TimeSpan.FromHours(1);
                options.LoginPath = "/Identity/Account/Login";
                options.AccessDeniedPath = "/Identity/Account/AccessDenied";
            });

            services.AddTransient<IMessage, EmailService>();
        }

My Configure Method in Startup.cs:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IDbInitializer initializer)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseDatabaseErrorPage();
            }
            else
            {
                //app.UseExceptionHandler("/Home/Error");
                app.UseStatusCodePagesWithRedirects("/");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
                app.UseHsts();
            }

            initializer.Initialize();

            app.UseHttpsRedirection();
            app.UseStaticFiles();

            app.UseRouting();

            app.UseAuthentication();
            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(
                    name: "user_default",
                    pattern: "{action=Index}",
                    defaults: new
                        {area = "User", controller = "Home", action = "Index"},
                    constraints: new {area = "User", controller = "Home"}
                );

                endpoints.MapControllerRoute(
                    name: "products_default",
                    pattern: "{controller}/{mainCategory}/{category}/{product}",
                    defaults: new
                        {area = "User", action = "Index", mainCategory = "", category = "", product = ""},
                    constraints: new
                        {area = "User", controller = "Products"}
                );

                endpoints.MapControllerRoute(
                    name: "user_subcontrollers_default",
                    pattern: "{controller=Home}/{action=Index}/{id?}",
                    defaults: new
                        {area = "User"},
                    constraints: new {area = "User"}
                );

                endpoints.MapControllerRoute(
                    name: "default",
                    pattern: "{area=User}/{controller=Home}/{action=Index}/{id?}");
                endpoints.MapRazorPages();
            });
        }

Answer 1

check if your have below decorator on which controller/action method getting called and having required rights to user

[Authorize(Roles = "CreateRecord")]

Answer 2

Turns out that our hosting's firewall settings was causing this issue. After they reconfigured it our 403 errors stopped. Sadly I do not know what they changed in the firewall.