From what I can read online, it appears that session fixation attacks are caused by session_id information being passed through query strings in the url, or possibly through POST. For my website, I never pass the session information through GET or POST; I am simply storing the session information in the SESSION! That seems incredibly obvious to me, to the point that I feel as if I am missing something... Can you protect your clients session_id information if you simply store the session_id in the browser's SESSION?
Session fixation is an attack where the attacker defines the session id or is able to create one that is known to him, then passes this ID to the unexpecting victim, who uses this ID, not knowing that it wasn't created randomly.
Your mention of "you are storing the session information in the session" completely misses the point. This attack doesn't mean to access this data directly. It targets the ID - this ID should be sufficiently random, but the session fixation attack circumvents this.
Note that even when there is no possibility of session fixation, there are more possible attack vectors available to break into a session.