Is the following the expected behavior?
Accessing an activated survey on demo.limesurvey.org
After finishing the survey.

Three cookies are set in the browser:
Name PHPSESSID
Value hrd747j4jmh2ipnhbbmb1aaj51
Host demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly Yes

Name YII_CSRF_TOKEN
Value c84abb957a10959e77a188c4c0f0477d3048c217
Host demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly No

Name userpermissions
Value false
Host demo.limesurvey.org
Path /
Expires At end of session
Secure No
HttpOnly No

Close Tab. Not Browser.
For testing the Cookie "YII_CSRF_TOKEN" is removed manually from the browser.
URL is entered again in a new tab without NEWTEST=Y.
After completing the survey the second time cookies found in browser are:

Name PHPSESSID
Value hrd747j4jmh2ipnhbbmb1aaj51
Host demo.limesurvey.org
Path /
Expires At end of session
Secure Yes
HttpOnly Yes

Name userpermissions
Value false
Host demo.limesurvey.org
Path /
Expires At end of session
Secure No
HttpOnly No

1. CSRF-Cookie was not recreated when entering the survey URL again in the new tab.
2. Survey could be finished (POST) without any error.

I would have expected that the CSRF-Cookie is recreated. But since that is not the case, I would than expect that a CSRF mismatch is triggered. Both is not the case. Is that the intended behavior?

CSRF cookies are tested for each $_POST session, strange you don't have it after submitting.