IP address certainly seems like a great way to filter, but some users are switching IP addresses randomly by using proxies or get new IP addresses more often, because of their connection. So IP can be an unreliable detection method. Also, since it's possible the person is on your network when sniffing your request, they could possibly just use your same IP address anyway.
Using the browser ID (or other headers) is no good either, because the attacker can sniff and use that as well. In fact, nothing that is in a request or response can be helpful, because the attacker can sniff all that and craft their headers to be the same.
HTTPS is the way to stop all this.
The only thing I can see being helpful would maybe be some sort of prenegotiated key to sign the requests with. It would have to be negotiated before the attacker sniffs the connection and last for a long time, though.