InvalidAuthenticityToken?

Should I be
worried about InvalidAuthenticityToken errors? I’m pretty sure this
isn’t someone trying to hack us, but I suspect may be some config error
on our part.

We have 2 servers, each with multiple mongrels and Apache
load-balancing between them.

On the same lines, should I expect an authenticity token to remain
constant for the life of a session? I’ve analyzed my logs and I am
/definitely/ seeing instances where it looks like the authenticity
token is changing within a session (infrequently, though).

When it does change, it seems to be okay, though–since the response to
the client has the new authenticity token, then the form submit has the
new one and everything is okay.

But I do have cases where the server rejects the authenticity token…
any ideas why might this be happening or what I can look at to try and
debug?

Thanks,

dwh