There are many documented reasons for getting the InvalidAuthenticityToken exception in a Rails application. However if you are here after searching for the keywords InvalidAuthenticityToken and Internet Explorer 9 or IE9, chances are it's only happening to you in IE9 and the following solution will save you a lot of headaches.
Hostnames cannot contain an underscore (_). That means it's not a valid character in a subdomain. Most browsers will play along, even older versions of Internet Explorer, but it turns out IE will not.
So there you go, if you have an underscore in your subdomain, get rid of it and your Invalid Authenticity Token exception will go away as well. I hope you found this post before you pulled your hair out.