It is possible to spoof an IP address, do a websearch for 'IP spoofing' and you'll find a fair few pages about it.. you may not know how to do it, but intruders sure do. You can't trust anything you receive, so it's often a good idea to make sure anything you want to be truly secure is protected by a HTTPS layer.

Without HTTPS assume anything that's sent can be intercepted, and anything incoming can be forged.

Don't forget also that one user may have multiple sessions running concurrently, or use 'Open In New Window/New Tab' to 'split' the user path, thus limiting the usefulness of changing numbers on a per-request basis.

This is a significantly non-trivial task, using a prebuilt is generally far, far easier.. especially if your own security knowledge is limited.