网上关于这个的内容很少, 意外中找到如下内容, 可以解决这个问题.
使用自定义session_handler:
Configure::write('Session.save', 'my_session_handler');
// app/config/my_session_handler.php // Revert value and get rid of the referrer check even when, // Security.level is medium ini_restore('session.referer_check'); ini_set('session.use_trans_sid', 0); ini_set('session.name', Configure::read('Session.cookie')); // Cookie is now destroyed when browser is closed, doesn't // persist for days as it does by default for security // low and medium ini_set('session.cookie_lifetime', 0); // Cookie path is now '/' even if you app is within a sub // directory on the domain $this->path = '/'; ini_set('session.cookie_path', $this->path); // Session cookie now persists across all subdomains ini_set('session.cookie_domain', env('HTTP_BASE'));