Should I be worried about InvalidAuthenticityToken errors? I’m pretty sure this isn’t someone trying to hack us, but I suspect may be some config error on our part.

We have 2 servers, each with multiple mongrels and Apache load-balancing between them.

On the same lines, should I expect an authenticity token to remain constant for the life of a session? I’ve analyzed my logs and I am /definitely/ seeing instances where it looks like the authenticity token is changing within a session (infrequently, though).

When it does change, it seems to be okay, though–since the response to the client has the new authenticity token, then the form submit has the new one and everything is okay.

But I do have cases where the server rejects the authenticity token… any ideas why might this be happening or what I can look at to try and debug?