Zabbix frontend is vulnerable to session hijacking as when running under https the zbx_sessionid cookie is not set as "secure".

The solution is simple, replace line 70 in /include/func.inc.php with the following:

setcookie($name, $value, isset($time) ? $time : 0, '/', $_SERVER['SERVER_NAME'], (bool)$_SERVER["HTTPS"]);