No longer log in after update - request timeout

After updating to 5.40 I can no longer log in, the server log is this:

ERROR "GET /ghost/api/admin/users/me/?include=roles" 403 1ms
Authorization failed
"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."
Error ID:
NoPermissionError: Authorization failed
    at authorizeAdminApi (/var/lib/ghost/versions/5.40.1/core/server/services/auth/authorize.js:33:25)
    at Layer.handle [as handle_request] (/var/lib/ghost/versions/5.40.1/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/lib/ghost/versions/5.40.1/node_modules/express/lib/router/route.js:144:13)
    at authenticate (/var/lib/ghost/versions/5.40.1/core/server/services/auth/session/middleware.js:28:13)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
[2023-03-27 11:24:04] INFO "GET /ghost/api/admin/site/" 200 2ms
[2023-03-27 11:24:04] INFO "GET /ghost/api/admin/authentication/setup/" 200 7ms

when logging in, the next Post request to ghost/api/admin/session after a while returns error 524
while on the server the log reports:

[2023-03-27 11:27:54] INFO "POST /ghost/api/admin/session" 200 99011ms

very strange that ghost takes more than 1,5 minutes to process the request.

Do you have any suggestions?

Error 524 is a timeout error, and usually caused by a long-running process on the server. This could be a consequence of increased server load following the upgrade.

What server are you running, and how much CPU and memory is available?

it is not related to server resources, i am using an Oracle vps with 2CPU 24gb ram. i have other ghost installations that are still not up to date and have no problems.

from the log you can see that the other requests are processed within a few milliseconds only the /admin/session takes more than 1,5 minutes

the timeout is forced by the cloudflare proxy, and is set to 100sec.
If I disable the proxy, the request is never processed even after more than 10 minutes.

Only if I close the browser page does the log appear on the server:

[2023-03-27 20:50:00] INFO "POST /ghost/api/admin/session" 200 5805ms

Even if I enter an incorrect password the request returns the code 200 (only after timeout)

If I send several consecutive requests by pressing the login button, the page breaks and appears:

Page not found

in the log:

NotFoundError: Page not found

Do you have anything in your setup, e.g., Nginx caching, that could prevent the authentication cookie being set?