Question: Does the session in your Ruby on Rails application lose after a user goes to a facebook tab app then facebook tab app request to your server and your server receives a signed request?
Answer: This can be happening because of the facebook app doesn’t send a csrf token in it’s token.

You can fix this by add skip_before_filter :verify_authenticity_token to the controller that facebook app’s request to or remove protect_from_forgery from application_controller.rb