I’m not too familiar with Rails (and this is unrelated to the point of the article), but is this code vulnerable to a session fixation attack (https://www.owasp.org/index.php/Session_fixation)?
I notice that it doesn't destroy the session when you log in/out, just changes a session variable.
No; session fixation requires that the attacker gain access to a session id and pass that on to the user. Rails doesn't use session ids by default. All session data is stored in the client cookie, and is verified with a cryptographic hash. If you can steal the cookie, you win, but that's much harder than session fixation.
I notice that it doesn't destroy the session when you log in/out, just changes a session variable.