Cookies in Rails are encrypted and signed, and as far as I am aware, simply setting your session hash cookie to a bunch of random gibberish is not, in fact, going to just create a new session. (Also, "creating a new random session" is not what a session fixation attack is, but let's leave that aside for now.) Given this encryption, how do you propose to execute this attack? I don't usually like to be the "[citation needed]" guy, but: citation needed.