Do I need to auto-login after account activation?

Question

This is the standard scenario:

1. User registers on the site
2. User receives an account activation email, clicks link to activate
3. Web site notifies the user that account is activated

Now there are at least two pathways:

1. User is taken to the login screen and asked to enter login details
2. User is automatically logged in and taken to a welcome/profile/etc page

While there are obvious benefits in (2) as far as the user's experience is concerned, there could be drawbacks as well. Option (1) offers improved security at cost of UX.

Which of the scenarios is preferable and why? Any serious flaws in any of them?

Answer 1

If your user does not enter sensitive data during the registration process, logging them in instantly would make your application more convenient. Also consider that if your application offers a functionality to recover accounts of users who have lost their passwords by sending an reactivation/password e-mail (and I'm pretty sure it does), you already assume the user is able to keep their e-mails away from snoopy folks, so why not log them in after activating?