The ActiveRecordStore backend for CGI::Session allows you to plug in custom session classes. See session/active_record_store.rb in Action Pack. The default session class is a normal Active Record class named Session. An alternative, SqlBypass, is provided which duck-types with the AR class but uses straight SQL over the db connection. You can use it as a starting point for pessimistic locking.

class MyPessimisticSession < CGI::Session::ActiveRecordStore::SqlBypass
  # Pick a database connection for straight SQL access.
  self.connection = ActiveRecord::Base.connection

  # Override the finder class method to do a SELECT ... FOR UPDATE.
  def self.find_by_session_id(session_id)
    @@connection.select_one "..."
  end
end

# Use our custom session class.
CGI::Session::ActiveRecordStore.session_class = MyPessimisticSession

# Use the ActiveRecordStore for CGI sessions.
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(
  :database_manager => CGI::Session::ActiveRecordStore
)

As a footnote, I believe the default session backend (PStore) serializes access since it uses file locking. Perhaps it's worth a second look?