causes of occasional ActionController::InvalidAuthenticityToken exceptions

A few times a week we get an ActionController::InvalidAuthenticityToken exception from our app (not all from the same action or controller). I understand why protect_from_forgery exists and am not interested in disabling it. I am quite certain this is not from actual attacks on our site but not sure why users are consistently triggering it. The number of users it impacts is very small but still would be nice to know how to reduce them or at least why it is happening.

Any ideas?

Thanks, Drew

I'm having the same problems on a production website. It has several hundreds of visitors each days and this error occurs occasionally (more or less 1-3 times a week). Looking at the logs I see it is an actual visitor doing 'normal' things. I also saw a visitor that had it several times in a short period (with different authenticity tokens).

I can't seem to find the reason. We're using the database for storing the sessions (ActionController::Base.session_store = :active_record_store). We're using a 128 character session key.

Any ideas?

Thanks Matthias