causes of occasional ActionController::InvalidAuthenticityToken exceptions

A few times a week we get an
ActionController::InvalidAuthenticityToken exception from our app (not
all from the same action or controller). I understand why
protect_from_forgery exists and am not interested in disabling it. I
am quite certain this is not from actual attacks on our site but not
sure why users are consistently triggering it. The number of users it
impacts is very small but still would be nice to know how to reduce
them or at least why it is happening.

Any ideas?

Thanks,
Drew

I'm having the same problems on a production website.
It has several hundreds of visitors each days and this error occurs
occasionally (more or less 1-3 times a week).
Looking at the logs I see it is an actual visitor doing 'normal'
things.
I also saw a visitor that had it several times in a short period (with
different authenticity tokens).

I can't seem to find the reason.
We're using the database for storing the sessions
(ActionController::Base.session_store = :active_record_store).
We're using a 128 character session key.

Any ideas?

Thanks
Matthias