Changes since DRUPAL-5--1-6:
- remove unnecessary db_query -- admins validating a user account shouldn't trigger an account login, either.
- better check for no password.
- switch to using user_pass_rehash() for validation hashes.
- #739978 by quicksketch: Remove the CVS version/revision from the settings page
- #769900 by hunmonk, miro_dietiker: redirect on invalid email validation.
- #765994 by hunmonk: Non-authenticated role is hidden in user profile form even when 'Set password' is unchecked. also backported the missing logic for the user admin form from 6.x
- #797142 by hunmonk: fix session fixation vulnerability.