crypt is supposed to do what Digest::SHA1 actually does, so consider using that instead. It works equally well on strings of any length. If you want slightly shorter encrypted strings, see Digest::MD5, which is not quite as secure but probably still good enough for you.

I don't see the need to encrypt the session ID. What is that supposed to protect you against? I can't tell from your description, but I suppose it's possible that there's some data encoded in the session string that you don't want the site operators to have access to.

In any security problem, the question you should ask is what you're defending against. What's the attack? What scenario are you trying to prevent, and how does your measure prevent that?