Session fixation sets a known session ID before the victim authenticates — after login, the attacker uses the pre-set ID to hijack the session.
Prevention: generate a new session ID after successful authentication. This invalidates any pre-authentication session ID. Session fixation is different from session hijacking (stealing an existing session).