We have the url of a requested page and csrf_token in the table online (it is generated when user log in). These two strings are concatenated and hashed with sha1-algorithm. Given value is stored on the forum page in a hidden value.
There is an option "Online timeout". It defines the count of seconds idle before a user is removed from the online users list.
Every time a user requests a page of the forum, the list of online users is updated. This means that some information about the current user (logged time and previous url) will be updated, and all users, logged more than online timeout seconds ago, will be removed from the online table.
When a visitor writes his post more than online timeout and other users are browsing forum pages, the posting user will be removed from the online list. When a user presses the "Submit" button, he will be authorized via a cookie and, as he was removed from online table, a new csrf_token will be generated in the online table. So csrf_token in the online table doesn't equal csrf, which was used to generate csfr-token at the requested page.
To increase time frame of the security token, you should increase the online timeout. You can do it on "admin/settings.php" page in the "Default timeouts and redirect delay" section.