I have a situation where I am opening a file based on the $_SERVER['REMOTE_USER'] variable. I don't think this is spoof-able but would just like to confirm. I do not want to make myself vulnerable to the reading of arbitrary files:

   <?
      $user = $_SERVER['REMOTE_USER'];
      $fp = fopen("./$user.png","r");
   ?>

Yes, that username is whatever is specified by the remote user.

You need to verify password as well. If password is verified by your server, and not your application, then you are probably okay.