diff --git a/server/ctrl/session.go b/server/ctrl/session.go
index 8ba6ce02..7a47936a 100644
--- a/server/ctrl/session.go
+++ b/server/ctrl/session.go
@@ -110,7 +110,7 @@ func SessionAuthenticate(ctx *App, res http.ResponseWriter, req *http.Request) {
 			c.Secure = true
 			c.SameSite = http.SameSiteNoneMode
 			if f := req.Header.Get("Referer"); f != "" && strings.HasPrefix(f, "https://") == false {
-				Log.Warning("iframe from non secure origin isn't supported '%s'", f)
+				Log.Warning("you are trying to access Filestash from a non secure origin ('%s') and with iframe enabled. Either use SSL or disable iframe from the admin console.", f)
 			}
 		}
 		http.SetCookie(res, c)
diff --git a/server/middleware/session.go b/server/middleware/session.go
index 545cab9f..9138fe3f 100644
--- a/server/middleware/session.go
+++ b/server/middleware/session.go
@@ -287,6 +287,7 @@ func _extractSession(req *http.Request, ctx *App) (map[string]string, error) {
 	str, err = DecryptString(SECRET_KEY_DERIVATE_FOR_USER, str)
 	if err != nil {
 		// This typically happen when changing the secret key
+		Log.Debug("middleware::session decrypt error '%s'", err.Error())
 		return session, nil
 	}
 	if err = json.Unmarshal([]byte(str), &session); err != nil {