Just generate a unique token (e.g. a GUID), put that in the email, and record it against the user somewhere. When you get a hit on the verification page, check the token that's passed in the query string against the user token for the current session (or, possibly better, look for any users with that verification token and log the current session in as them), and then clear the verified status.
I can't quite remember how ASP.net stores user information but I think you can extend the default user information;
this page[
^] may be helpful. Alternatively, if custom membership providers look like overkill, create a new table in your database which is for pending verifications, and look up in that instead – but in that case you will have to add a validation check on logging in to check that table, or put users by default into a role called something like PendingVerification which doesn't have access to most of the site.