Cookie management and CSRF stuff harder to get right, hashing passwords is completely trivial with and library.

And the cookies are not difficult on a technical level, you just have to spend time understanding the threat models and mapping those models correctly onto your own app.