random InvalidAuthenticityToken errors

My login controller seems to be randomly raising InvalidAuthenticityToken errors. I'm using exception_notifier so I've got pretty solid debug output, but I can't see any pattern to it. They are real users with different IPs and different who sometimes try repeatedly to join or log in and mail me when they can't, so I don't think it's any kind of bot. And it's only these two actions on this controller; I use protect_from_forgery on my create/update/destroy actions and have never had an exception.

Can anyone offer troubleshooting ideas?