The problem is that even if the password is hashed the redirect will lead to an URL that is visible to the user.

Which means that they could cheat and bookmark this in the future to create arbitary unvalidated accounts - now at the moment I have a simple scheme to avoid this with the use of sessions, but making this less visible would be a good thing.