How often is the authenticity token updated?
The latest error that I got was a submittal of a form, an model
validation occured, I click back, make the correction, resubmit the
form, then I get an InvalidAuthenticityToken error.
They are tied to the session id (non cookie store) or from the crsf_id in the session (cookie store). if something is killing the session that will do it
Somewhat off topic
If a person is using the authenticity tokens is there still a need to
use some sort of captcha?
captcha and authenticity tokens are for completely different things. Authenticity tokens are for guarding against crsf attacks, captchas are for preventing computer programs automatically doing stuff with your web app.