skipping email validation for users buying something?

sneakyimp

i'm working on a site that requires users who register to validate their email address by clicking a link in an email that we send to them. two good reasons for doing so:

1) prevent unlimited account creation by hackers and bad guys
2) make sure email addresses are real.

if a user is going to buy something, WE DON'T CARE.

now here's the trick...anybody can put items in a shopping cart and check out. when they're checking out, they eventually get to a page where they must either login to an existing account or register. login is no problem.

if they must register, i'd like to skip the email validation step but am having a hard time deciding how to make sure they're going to buy something before i cut them any slack in the registration procedure. can anyone recommend some reasonable process or criteria i can check to give someone a pass without losing the 2 benefits above?

it occurred to me there are several things i can check
i) is anything in their shopping cart?
ii) maybe set something in the session if they've been clicking the checkout buttons?
iii) check the referrer page (although this probably isn't reliable for all browsers).

it also occurred to me that i could log the user in at registration and force them to validate their email address before loggin in again but this seems like a good way to get complaints from customers who provided bogus email addresses.

if anyone has dealt with this problem i'd appreciate some advice.

sneakyimp

ok i am consdering several approaches, most of which are unsatisfactory:

1) create separate registration form which skips the email confirmation step
PROS - simple to link from checkout procedure, keeps reg code separate for different cases
CON - when hackers find it, none of them will ever need to confirm emails. doesn't strictly require user to complete the transaction

2) link to existing registration page with an additional $_GET var which triggers no-confirm registration.
PRO - simple to link from checkout procedure. don't have to replicate registration code
CONS - like 1) above is not secure and when hackers find it, no one will ever need to confirm an email. doesn't stricly require the user to complete the transaction

3) Set some session flag when an anonymous user begins a checkout or visits some crucial checkout page. registration process will look for this flag and, if it finds it, will waive the email confirmation
PROS - still fairly simple but i'm not sure where to set or unset it. is invisible to users or hackers so a bit more difficult to find. would require at least one page visit to establish a session and set the session var.
CONS - not much more protection than solutions 1 and 2 from automated account creation. when to set/unset session vars? doesn't strictly require transaction to be completed.

4) set up logic to allow user a provisional registration when purchasing items. upon completion of provisional registration, customer's account is changed to full-fledged account. user is given grace period of a week or so to make the purchase before account validation proceeds.
PROS - does strictly require a purchase
CONS - more complicated, must figure out where to run the check that will disable their account.