diff --git a/bin/browserid b/bin/browserid
index 005725a51145aebedd7d92d08fa2fd58b9e7a98b..d69fe6767558d96e9b15a8cbfa9360c435873269 100755
--- a/bin/browserid
+++ b/bin/browserid
@@ -309,19 +309,19 @@ app.use(function(req, resp, next) {
       logger.warn("CSRF validation failure: POST only allowed to /wsapi urls.  not '" + req.url + "'");
     }
 
-    if (req.session === undefined) { // there must be a session
+    else if (req.session === undefined) { // there must be a session
       denied = true;
       logger.warn("CSRF validation failure: POST calls to /wsapi require an active session");
     }
 
     // the session must have a csrf token
-    if (typeof req.session.csrf !== 'string') {
+    else if (typeof req.session.csrf !== 'string') {
       denied = true;
       logger.warn("CSRF validation failure: POST calls to /wsapi require an csrf token to be set");
     }
 
     // and the token must match what is sent in the post body
-    if (req.body.csrf != req.session.csrf) {
+    else if (req.body.csrf != req.session.csrf) {
       denied = true;
       // if any of these things are false, then we'll block the request
       logger.warn("CSRF validation failure, token mismatch. got:" + req.body.csrf + " want:" + req.session.csrf);