No; session fixation requires that the attacker gain access to a session id and pass that on to the user. Rails doesn't use session ids by default. All session data is stored in the client cookie, and is verified with a cryptographic hash. If you can steal the cookie, you win, but that's much harder than session fixation.