Is the session in your Rails app getting messed up after a user goes to a facebook tab app  on your server and receives a signed request?

This can be happening because the facebook app doesn’t send a csrf token in it’s token. You can fix this by adding removing the protect_from_forgery callback on the facebook app’s action. See http://stackoverflow.com/questions/1177863/how-do-i-ignore-the-authenticity-token-for-specific-actions-in-rails