allocate_remember_me_token contains this code:

# Generate a 128-bit token. irand is 32-bit.
my $token = join('', map { '' . Math::Random::Secure::irand() } (0 .. 3));

This doesn't provide what it advertises, i.e. 128 bit of entropy, because multiple quadruples of 32-bit numbers map to the same token (e.g. 12, 34, 56, 78 and 1, 234, 567, 8 have the same concatenation).

It's not a problem in practice since it's still worth more than 126 bits. It doesn't look good, though.