So the online timeout should be around 3 minute (for my site) and the security token should be a separate value.

As it was stated above, token is stored in online table. So that when user goes offline, the token is lost.
You may modify the code or make an extension to implement the logic you need, e.g. store the csrf token in users table...
Nevertheless, it seems to me very seldom, when you cannot find the balance between "long writing" and "quick online status update".

posters who make topics like "hello username"

...should be banned

To increase time frame of the security token, you should increase the online timeout. You can do it on "admin/settings.php" page in the "Default timeouts and redirect delay" section.

This is not a good solution I'm afraid.
If a user spends 5 minutes composing a new post (this is very common on my forum) then he should be hit with the security token measure. This is just putting people off using the forum. Also, I don't want people to remain in the online list for 5 minutes after they leave the site. This results in confusion amongst posters who make topics like "hello username" when in fact the person they are talking to left the site 4 minutes ago.

So the online timeout should be around 3 minute (for my site) and the security token should be a separate value.

That is just my opinion anyway

I've supposed that the bug appears on posting a form when somebody else have visited the forum after a forum page with the form was opened in browser. Also I thought this error is shown only for admins. Am I right?

We'll continue the investigation

That's defeating the purpose of having the security token, however.

But the way it was causing problems. Users were frustrated. The time length needs extending. Is there a description somewhere that I can read stating why the time is so short?

Yeah, of course.

It is not a good idea to suggest to people an option which is decreasing their security.