Understanding session fixation

I've recently come across session fixation in a book and I'd like to confirm whether i've understood the procedure or not.

As far as I've understood, this is how it happens:

1. Malicious user logs in and saves the session id assigned to him. He then logs out (to get rid of his session file + session cookie).

2. He sends the user a query string with the session id he knows (or edits session cookie of the user by hacking his computer?)

3. User accesses page that uses sessions. session_start() checks for a session id - finds one - then checks for a match - no file. It creates a file for that specified session ID (is this correct?)

4. User authenticates - logs in - secure information is stored in $_SERVER and the session file.

5. Malicious user can now use the session and access the victim's profile/account.

Is this correct? Additionally, if the user logs out (providing session data is deleted) does the hacker lose the session?

I understand that as a precaution, sessions should be regenerated upon authentication.

I believe my confusion lies with session_start(). I know that it either resumes or starts a new session. But I'd like some clarification on the actual procedure.

Start: It first checks for a session id (cookie or get/post)

a) If session ID is not found it creates a new one with a corresponding session file. -- end procedure

b) If session ID is found it checks for a match (session file)

-- (i) If match is found -> resume session and populate $_SESSION -- end procedure.

-- (ii) If match is not found - does it create a new session file for that ID or does it create a new ID with a session file?

According to my comprehension with session fixation, I would assume that it creates a session file for the ID specified. Please correct me if i'm wrong.

Thank you for your time :)