Cookies and sessions both have pros and cons. But I was thinking, how about when a user logs in it creates a session with their username and password in, but when they register they get given a unique 'access token'.
So when they login it will create a cookie with their access token in and a session with their username and password.
I will then scan the database for a user with the username and password in the sessions, and the access token in the cookie.
I was hoping this would prevent session hijacking.
No, it would not. Sessions are basically tokens in a cookie, so all your doing is making a second token have to be stolen. If someone can steal one, they can steal two. I suggest you google around for strategies of preventing session hijacking.