Why shouldn't I implement a custom authentication for web app?

To avoid having the user to login every time his session expires, I want to implement a token based authentication system.

My thought steps as follows:

1. Let the user login (send name + password) via $.ajax() to a https URI


2. Create a token via $token = bin2hex(openssl_random_pseudo_bytes(16));


3. Save $token, userid and date in a mySQL DB (only accessible by SSL)


4. Echo the $token and userid to the client


5. Save the $token and userid in html localStorage on the client


6. When doing an $.ajax() from client always send userid and $token as POST


7. Serverside, match the provided $token and see if it is still valid (date not expired).


8. If it's alright, continue to deliver the requested material

This makes much sense in my eyes as an inexperienced PHP, SQL, JS developer.

But many people advise against implementing custom authentication processes, as they are often vulnerable to attacks.

I have the strong feeling, that my approach also has flaws.

Can you reveal these flaws to me?