How about authorizing the user immediately, send them
an automatic welcome email with a coded url requesting them to click on the link that flags the db that the email is valid.
If they don't do this in x days. the account automatically
deleted.
This way, the user can stay logged on and still have
their account deleted if the email isn't confirmed
We may implement something like this soon.