If you are not concerned with security you can do as naval has suggested. If you are concerned, then its best to make a completely random string, one not based on their username or password at all. This ways the only way to know the actual activation string is to have retrieved it from their email.

Basically yes, there are ways to check if an email really exists (which doesn't necessarily work on all emails) but this is the only way, with relative certainty, to know that whomever registered also controls the email they specify. And there are other more complicated ways, but won't necessarily be any more secure

For the sake of security I would say to not do a login during the activation, and just redirect them to the login page. (You don't want to authenticate based on a link from an email, you want them to verify they know the username and password).

Also if you have your login script setup securely, the only way to login should be using a username and password. That is, you script should only store encrypted passwords, and should compare the username/password they enter with what is stored on the website... on every page load. The only way you could then log the user in without them entering the password would to only check if a flag is set (Saving a variable $login=true;) which is not a secure way to handle user authentication, and should be avoided.

__________________

Register/Login Script
Do you use a Password Protected Directory? Need a way to allow users to make their own account, try my .htaccess Login Script