Why is my user's X-CSRF-Token header different form the _csrf_token in the session?

For a very small number of users (who are making legitimate requests) on my site, the X-CSRF-Token header sent with their AJAX requests is different from the _csrf_token in the开发者_如何学Goir (cookie store) session (and the rest of their session seems normal). Consequently, they are getting buggy behavior and errors. Any insight into how this could happen?

Using Rails 2.3.11 on REE 1.8.7 on Heroku & jQuery 1.4.2.

This problem disappeared after upgrading to Rails 3