lazy fetch csrf tokens in dialog immediately before a post request which requires them.  fixes csrf race condition in beta and dev

No need to JSON.stringify the emails list.

Fixing withCSRF to correctly get the CSRF token.

The request was assuming XML, which caused jQuery to blow its top since the response was not valid XML.  If we set the response to HTML, we can set the CSRF token directly from the response, without using response.body.

issue #177

fix manage page, now we explicitly call /wsapi/csrf so that the page itself can be cached. issue #74

move /csrf to /wsapi/csrf.  add /wsapi path to cookies, as all other requests should have aggressive cache headers.  Only create a csrf token when the client asks for it.  issue #173

add logging to CSRF token generation, and rather than throwing an exception when a mismatch is detected, log an error and return a bad request to the client (seems like a better fit than 'not authorized'). issue #173

remove dead code.  we moved from cookie-sessions to connect-cookie-sessions.  we shouldn't have references to the former, and the latter does not throw exceptions when invalid cookies are encountered, so we don't need exception handling there.

interface winston logging better, use the Console transport when running in the dev harness rather than manually logging to console (yay for colorized output)

all tests now run against all persistence layers, warnings are output when (i.e.) mysql isn't set up and we can't test against it, but the developer should clearly understand what's going on.  closes #171

top level test.sh file now tests to see if we can connect to the database before running tests for that environment.  issue #171

rename 'log_path' configuration variable to 'var_path', as now it will be the path to all files created at runtime.  issue #172

logging setup is moved into app.js for the browserid server (now common between test and prod envs).  remove it from the run.js harness