Maybe user had opened form and the session expired and with it the CSRF token also. Either increase the session expiration time or make JS logout (redirect) on session expiration.

I know that the cause should be that, but the exception should be handled by the
case ($e instanceof TokenMismatchException):

instead it is reported like an unhandled exception, or that kind of exceptions are reported into the log file even if correctly handled?

That happened again. Is it possible that the token and session is not generated if it is a bot to try to use the form? It looks not probable to me that so many users are waiting so much time to fill a form, the session's lifetime is 4 hours, I don't think that in the last 3 days 3 users did wait 4 hours before to fill a form.

The messages continue to appear, ever 3 in 3 seconds. I'm sure that it is a bot, could it be a bot which tries to use the login form?

I don't think that I could solve this with any captcha or other, the token is checked before the form validation.

1 - reload page 2 - reload / resend form 3 - regenerate token 4 - if it is form, add csrf_field()