I successfully use mycrypt to encrypt id's in an admin panel as they are often seen in the URL. I have previously added a key manually as I code, but this time I plan to use the users account id which is kept in a session. Is this a good way, or should I keep with a fixed key throughout the site.
Thanks
Never pass SESSION IDs over URLs, even if encrypted (though it's weird and still quite unsafe). Transferring SESSION IDs has been deprecated long time ago by PHP (session.use_trans_id=0). Session ID is transferred automatically by browser, you don't need to take care of it at all.
The only use case might be if you want forcibly allow browsers with disabled cookies, then you would need to append such a parameter to all links (mimicking deprecated bahaviour). However:
So you just pull out userID stored in session and don't worry about transferring session ID over URL.