We've just discovered that perch has a security risk. The Perch admin section is currently vulnerable for Session fixation / Session Hijacking. Even after 30 minutes the Session id is still not expired. This can be fixed by adding a php function session_regenerate_id (https://php.net/manual/en/function.session-regenerate-id.php) every 5 minutes or even very request or x amount of requests.
I presume more advanced programmers will also counter this by adding session regeneration. But for more inexperienced programmers or even non programmers this might be a risk.
Best regards, Bart