If you steal a cookie from an end user you can use this cookie to perform a replay attack as long as the other user is logged in. By sending a email to a fake login you can tell when the user attempts to login and replay their cookie.

Something like a session ID should be set alongside the zbx_session cookie to ensure that only one session at a time is using a particular cookie. The test for this issue can be performed by using two different browsers or systems.