So I’m not sure if this is 100% causing it but I was able to replicate the error
1) Open two browser windows of the same browser type (ie. 2 chrome windows)
2) Go to the login page in both windows
3) Login on one of the windows and then logout
4) Login on the other browser window and you’ll see the error
Logging out updates the csrf token but if the other login page isn’t refreshed it doesn’t get the updated token. Shouldn’t devise be handling this situation gracefully?