How secure can IP based login be?
First of all, I need to emphasize that IP address can never be used to authenticate a user, it can only be used to (attempt to) validate a host. Even if IP address were perfectly tied to an exact computer on an exact network port, we'd still have no guarantee that a particular user was at the console of that computer at that time. So if you are trying to ensure that the resources you are protecting can only be accessed by a particular user, you need to be doing user-level authentication of some kind.
Now it may be that you only want to limit access to, say, people who work at a certain business, or who go to a certain school, or who live in certain house. So you believe that IP-only validation is worth the additional risk. Even then you can't guarantee your data is going to the right place.
A wireline example I can think of is this. Let's say I am a cable internet subscriber and I want to intercept my neighbor's IP traffic. Our cable provider uses DHCP to assign addresses to us from a pool of addresses set aside for dynamic IP addressing. Conceptually, I can intercept his address by discovering his IP address; discovering his MAC address; setting my MAC address to be a clone of his MAC address; rebooting his cable modem (e.g. by interrupting power or cable to his house); issuing a DHCP request.
Since many DHCP servers usually try to assign MACs the same IP they had previously, the cable provider will assign your IP to me. Now this won't work forever - the cable provider will eventually see an IP address collision and investigate the issue. But by that time I may have already stolen your data.
No. This is probably going to be weak. Also, in certain cases IP spoofing is a lot easier than your question indicates. For instance, if the user is logging in over open Wifi connection, then it is easy to do a man-in-the-middle attack or spoof the user's IP address.
There is no Forwarded-By header added when a router forwards an IP packet. There is no such header that's going to help you detect IP spoofing.
See also In what scenarios is relying on source IP address as a security control acceptable/unacceptable?.
If you want one-time validation, I suggest that you set a secure persistent cookie on the user's browser (once you've authenticated them) so you can recognize them again in the future. That will eliminate the need for them to conduct another authentication step in the future, as long as they continue to use the same machine and browser.