random InvalidAuthenticityToken errors

My login controller seems to be randomly raising
InvalidAuthenticityToken errors. I'm using exception_notifier so I've
got pretty solid debug output, but I can't see any pattern to it. They
are real users with different IPs and different who sometimes try
repeatedly to join or log in and mail me when they can't, so I don't
think it's any kind of bot. And it's only these two actions on this
controller; I use protect_from_forgery on my create/update/destroy
actions and have never had an exception.

Can anyone offer troubleshooting ideas?