There are many documented reasons for getting an InvalidAuthenticityToken exception in a Ruby on Rails application. However, if you arrived at this page after searching for IE9 or Internet Explorer 9 and InvalidAuthenticityToken, chances are it's only happening to you in IE9 and the following solution will save you a lot of headaches.
Hostnames cannot contain an underscore (_). That means it's not a valid character in a subdomain. Most browsers will play along, even older versions of Internet Explorer, but it turns out IE will not.
So there you go, if you have an underscore in your subdomain, get rid of it and your Invalid Authenticity Token exception will go away as well. I hope you found this post before you pulled your hair out.