* use an interstitial page so that the actual activation is a POST request;
* send a confirmation code instead of a link