Simon Buchan notes (correctly) that a client cannot send exactly the same encrypted bytes to the HTTPS server and have it accept them as valid; one of the protections HTTPS provides is protection against that sort of "blind" replay.
What Fiddler & TamperData do isn't the same thing-- these tools start with the the same unencrypted bytes (e.g. your username and password) and establish a new HTTPS connection to the server and then send the HTTPS request to the server again on that new connection.
So, it's a replay of the same HTTPS request, but not a replay of the same raw bytes.
There's no practical way to prevent a tool with access to the unencrypted data (like Fiddler has) from logging into your site using that information.