I use zend 1 framework and I have form that use ajax multiple time, I secured it with csrf, but after first request csrf token will expire and I need new One. Is it secure to pass new csrf token from server side and use it in front side for new ajax call?
Having a rolling CSRF token is always a bad design because if the user has multiple windows open then a race condition occurs on which CSRF token is currently valid.
When implementing any security system try and use an existing library or a well documented technique. Don't shoot from the hip, read the CSRF prevention Cheat sheet.
A rotating CSRF token does not improve security because the same bypass techniques will always obtain the current CSRF token. All CSRF mitigations rely upon the Same-Origin Policy - and if your application has a SOP bypass - such as a weak crossdomain.xml file or an insecure CORS ruleset, or XSS - then an attacker can use this vulnerability to read any HTTP response. For any given web application some HTTP response must have the CSRF token, and an SOP bypass can be used to read this token and forge interactions between the browser and web application.
It doesn't matter what type of CSRF mitigation is in place - XSS can always be used to force the browser into performing any action that the user can perform. If a request that is vulnerability to reflective XSS, also requires a CSRF token then it will be very difficult or impossible to exploit. For this reason, CSRF & XSS have a kind of rock paper scissors relationship.