Account email verification - what to check for?

I have it working to a point where I think it's usable and I'm quite happy with it. With that said, I noticed a few things. Most if not all places validate against email or username along with an auto-generated hash code that's X chars long. The URL I send the user looks like the following.

http://www.example.com/account/confirm/bob/cbv54c09023DpW

However, you wouldn't want to verify the account unles开发者_开发技巧s the user logs in successfully. So if hit that URL and I'm not logged in, it's going to force me to log in prior to validation. My question is, if that's the case, I would rather validate the account by using the "logged in" username (or email) and the confirmation code that gets sent out.

I ask because I noticed sites like Twitter and Facebook will send such notices but if you attempt to modify the URL (i.e. example.com/account/confirm/sue/cbv54c09023DpW), it'll log you in but will tell you "Can't validate Sue's account while logged in as Bob" or something similar. How are you guys accomplishing this? Does it make sense to pass the username/email into the URL string?

Why not? It's looking for a combination of both datas to confirm; so there's less a chance of security flaws in it. You could check if they're logged in or not, AND check if the username and auth code match the database data.

I'm just going to send the hash code only