I was thinking of missing/incorrect header when the post started talking about setting IP Address from an optional header. As someone has already said, 'Never trust a client'. But while its very easy to say, its not so hard to remember in practice. I find it even harder to remember when the client is essentially some other part of your application.

Reminds me of this hack using the x-forwarded-for header:

http://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-ha...

(Anatomy of an Attack: How I Hacked StackOverflow)

and this:

http://xkcd.com/327/

(Exploits of a Mom)

Never trust the client....