If necessary, the mechanism can be changed or completely disabled.
Once the session is established, examine and set its properties using the provided methods.
Once the victim is authenticated, the SID (known to the attacker) remains the same and the session is compromised.
In Java, you can define how should the session ID be transmitted in To prevent session fixation attack using URL parameter, you should set tracking mode either to COOKIE or SSL.
A good countermeasure against the session fixation attack is to change Session ID every time user authenticates.
The way it can be changed differs depending on Servlet version.