diff --git a/notebook/notebookapp.py b/notebook/notebookapp.py
index 783737b5af..8f9341954f 100755
--- a/notebook/notebookapp.py
+++ b/notebook/notebookapp.py
@@ -593,14 +593,22 @@ def _write_cookie_secret_file(self, secret):
         """
     )
 
+    _token_generated = True
+
     @default('token')
     def _token_default(self):
         if self.password:
             # no token if password is enabled
+            self._token_generated = False
             return u''
         else:
+            self._token_generated = True
             return binascii.hexlify(os.urandom(24)).decode('ascii')
 
+    @observe('token')
+    def _token_changed(self, change):
+        self._token_generated = False
+
     password = Unicode(u'', config=True,
                       help="""Hashed password to use for web authentication.
 
@@ -1092,8 +1100,12 @@ def init_webapp(self):
     @property
     def display_url(self):
         ip = self.ip if self.ip else '[all ip addresses on your system]'
-        query = '?token=%s' % self.token if self.token else ''
-        return self._url(ip) + query
+        url = self._url(ip)
+        if self.token:
+            # Don't log full token if it came from config
+            token = self.token if self._token_generated else '...'
+            url = url_concat(url, {'token': token})
+        return url
 
     @property
     def connection_url(self):
@@ -1321,7 +1333,17 @@ def start(self):
                 b = lambda : browser.open(url_path_join(self.connection_url, uri),
                                           new=2)
                 threading.Thread(target=b).start()
-        
+
+        if self.token and self._token_generated:
+            # log full URL with generated token, so there's a copy/pasteable link
+            # with auth info.
+            self.log.critical('\n'.join([
+                '\n',
+                'Copy/paste this URL into your browser when you connect for the first time,',
+                'to login with a token:',
+                '    %s' % url_concat(self.connection_url, {'token': self.token}),
+            ]))
+
         self.io_loop = ioloop.IOLoop.current()
         if sys.platform.startswith('win'):
             # add no-op to wake every 5s
diff --git a/notebook/templates/login.html b/notebook/templates/login.html
index 1cf0a3fad1..df394db32c 100644
--- a/notebook/templates/login.html
+++ b/notebook/templates/login.html
@@ -20,7 +20,7 @@
       <div class="navbar-inner">
         <div class="container">
           <div class="center-nav">
-            <p class="navbar-text nav">Password or token:</p>
+            <p class="navbar-text nav">Password{% if token_available %} or token{% endif %}:</p>
             <form action="{{base_url}}login?next={{next}}" method="post" class="navbar-form pull-left">
               <input type="password" name="password" id="password_input" class="form-control">
               <button type="submit" id="login_submit">Log in</button>
@@ -42,10 +42,11 @@
       {% endfor %}
       </div>
     {% endif %}
+    {% if token_available %}
     {% block token_message %}
     <div class="col-sm-6 col-sm-offset-3 text-left">
       <p class="warning">
-        If this notebook server has no password set, token authentication is enabled.
+        Token authentication is enabled.
 
         You need to open the notebook server with its first-time login token in the URL,
         or enable a password in order to gain access.
@@ -62,8 +63,12 @@
       <p>
         Or you can paste just the token value into the password field on this page.
       </p>
+      <p>
+        Cookies are required for authenticated access to notebooks.
+      </p>
     </div>
     {% endblock token_message %}
+    {% endif %}
 </div>
 
 {% endblock %}