diff --git a/browserid/app.js b/browserid/app.js
index 9902a49f070f96440ac7924b78c1ecfa353d7897..15c84111ec2924e3e7eee07c17de96b81f7575e9 100644
--- a/browserid/app.js
+++ b/browserid/app.js
@@ -193,15 +193,32 @@ exports.setup = function(server) {
   server.use(function(req, resp, next) {
     // only on POSTs
     if (req.method == "POST") {
-      if (!/^\/wsapi/.test(req.url) || // post requests only allowed to /wsapi
-          req.session === undefined || // there must be a session
-          typeof req.session.csrf !== 'string' || // the session must have a csrf token
-          req.body.csrf != req.session.csrf) // and the token must match what is sent in the post body
-      {
+      var denied = false;
+      if (!/^\/wsapi/.test(req.url)) { // post requests only allowed to /wsapi
+        denied = true;
+        logger.warn("CSRF validation failure: POST only allowed to /wsapi urls.  not '" + req.url + "'");        
+      }
+
+      if (req.session === undefined) { // there must be a session
+        denied = true;
+        logger.warn("CSRF validation failure: POST calls to /wsapi require an active session");        
+      }
+      
+      // the session must have a csrf token
+      if (typeof req.session.csrf !== 'string') {
+        denied = true;
+        logger.warn("CSRF validation failure: POST calls to /wsapi require an csrf token to be set");
+      }
+
+      // and the token must match what is sent in the post body
+      if (req.body.csrf != req.session.csrf) {
+        denied = true;
         // if any of these things are false, then we'll block the request
-        logger.warn("CSRF validation failure.");
-        return httputils.badRequest(resp, "CSRF violation");
+        logger.warn("CSRF validation failure, token mismatch. got:" + req.body.csrf + " want:" + req.session.csrf);
       }
+
+      if (denied) return httputils.badRequest(resp, "CSRF violation");
+
     }
     return next();
   });