intermittant 403 error when logging in.

Question

Intermittant 403 (phase 2) error when logging in.
On the login page of my app, I randomly get a 403 error which prevents the user doing anything else until the cookies are deleted.

To get the error i just login/logout login/logout, sometimes happens when I use the same user details. sometimes happens when i swap users. There is no pattern to it. Sometimes it works ok for say 20 tries other times 4 tries is enough.

Here is the log from the server

GET / HTTP/1.1
Cache-Control: max-age=0
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en,en-AU;q=0.9
Cookie: ASP.NET_SessionId=t3rihovcxgprmsj0mkpcs4dh; __AntiXsrfToken=3ee0ba877dec45ef8281e40fd07d2fe6; .AspNet.ApplicationCookie=bPqDV2fP0WEgNmls-AuqUjM7n--M2mZB1L85v2gH5hTFKafS8JS_Gz7wPWzHYI8LGDFeCS0ljOJGD9pe7M-u0kg0O0o5uf7OU742cb-GqOcEiJkEdHbsYO5zeOxeRJEFnw_H-L4Y01GM4QxLLgkxepjJd_B1AiHIT8quYvs2VnU4OQjCSQsNDqVWuVo0CyQwfMpV4OZoOtYIpP9EjOWG7uWGstOnNhSMdO113zRA8fcIIRJNlALnaC-NxqWKpmd2tbiMQuhhRszyOUil4MNzHeWN6jtZuJew82X0BmbZ3EZ7xDhlkfCdK-jggQvJeNkYxbYBQwqAFFqZ02BgxTbQuI7fPE80kbp2cYQVTjnBS-N2kqzyWGCiRPGKX_Ko5uzdhLXSKZ9xdEWF-LCAEEdyqtqivRkUGFKvRE98Gi1HdPmcswpNGmwhQDsxoR9mwz6P0Fg4p2KMkgjENm37aohaz9LQw9aNYDW-vRtL55pc6SvFVxbsy_GrPVmmbyLNlpvb
Host: www.mysite.com
Referer: https://www.mysite.com/Account/Login
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
sec-fetch-site: same-origin
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document

--be180000-F--
HTTP/1.1 500 Internal Server Error

--be180000-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?:/\*!?|\*/|[';]--|--[\s\r\n\v\f]|--[^-]?-|[^&-]#.?[\s\r\n\v\f]|;?\x00)" at REQUEST_COOKIES:.AspNet.ApplicationCookie. [file "C:/Program Files (x86)/Plesk/ModSecurity/rules/modsecurity_crs-plesk/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1207"] [id "942440"] [msg "SQL Comment Sequence Detected"] [data "Matched Data: --M2mZB1L85v2gH5hTFKafS8JS_Gz7wPWzHYI8LGDFeCS0ljOJGD9pe7M- found within REQUEST_COOKIES:.AspNet.ApplicationCookie: bPqDV2fP0WEgNmls-AuqUjM7n--M2mZB1L85v2gH5hTFKafS8JS_Gz7wPWzHYI8LGDFeCS0ljOJGD9pe7M-u0kg0O0o5uf7OU742cb-GqOcEiJkEdHbsYO5zeOxeRJEFnw_H-L4Y01GM4QxLLgkxepjJd_B1AiHIT8quYvs2VnU4OQjCSQsNDqVWuVo0CyQwfMpV4OZoOtYIpP9EjOWG7uWGstOnNhSMdO113zRA8fcIIRJNlALnaC-NxqWKpmd2tbiMQuhhRszyOUil4MNzHeWN6jtZuJew82X0BmbZ3EZ7xDhlkfCdK-jggQvJeNkYxbYBQwqAFFqZ02BgxTbQuI7fPE80kbp2cYQVTjnBS-N2kqzyWGCiRPGKX_Ko..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [t
Action: Intercepted (phase 2)
Apache-Handler: IIS
Stopwatch: 1636356355872012 6003 (- - -)
Stopwatch2: 1636356355872012 6003; combined=5006, p1=1013, p2=3494, p3=0, p4=0, p5=499, sr=1013, sw=0, l=0, gc=0
Producer: ModSecurity for IIS (STABLE)/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.3.0.
Server: ModSecurity Standalone
Engine-Mode: "ENABLED"

Answer 1

Resolved by getting my host to create a new rule for mod security.