> potentially possible to forge credentials. I don't know for sure > whether guard checks the IP address of a request against the original > one that created the session in the first place, but even that could > technically be forged. Caches.