[iamdual]

You need to authenticate the user before the activation.

[kyrra]

This. You could rely on a cookie during the get request as well, that you set on the users browser during registration. Or re-auth after click.

[simonw]

The problem with that is people like myself who tend to register on a laptop but then click the email verification link on their mobile phone.

(Because waiting for Gmail to load on a laptop is painful, whereas on my phone is shows up as a push notification within seconds)

[winrid]

What about magic links? :)