Short answer: add the "--preload-app" flag to the Starman command line.
Long answer: As of LedgerSMB 1.8, session information is stored in an encrypted cookie. To make sure the encryption key is unique for every installation, a new encryption secret is being generated each time LedgerSMB is started. However, Starman (without the "--preload-app" flag) loads the application in each forked worker separately, leading to different encryption secrets in each worker with the indicated behaviour as a result.