fix CSRF checking logic, once we identify a single problem with the CSRF token, don't fall through to further checks