So I've had this application online for about 4 months now, and ever since launch, I get random e-mails from ExceptionNotification about authenticity token errors. In and of itself, that's cool, but I'm disturbed by the number I've received.
Basic setup: Rails 2.2.2 Passenger 2.2.2 Apache 2
Long story short, I've gone through lots of output from Exception Notification and found no pinpoint commonality. I've seen user agents from IE 6 through FF 3.5. Some are on OS X, most on Windows, and most have MS Office installed (signs thereof showing up in the output from EN under user-agent).
So far, my only theory is that it has something to do with the way Passenger is spawning the application. As I understand it, a request comes into Apache, which shuttles it to Passenger, which then shuttles it to one of X instances of the rails application (where X is unknown to me), depending on which is lowest on traffic. In theory, if a user's initial request came in for one instance, this would trigger the error if they somehow got shuttled to a different running instance of passenger on their next request, because their authenticity token was generated by another running instance of the application.
And yes, I'm 99.9% sure they're real humans causing these, and not bots or CSRF attacks (the vast majority anyway, I'm sure we've had a few bots/hack attempts, but not nearly this many).
Does this theory hold water? If not, what else do you think could be causing so many Authenticity Token errors?
