Is there any reason that you didn't make use of T4 templates to generate classes and interfaces for the localization? It would mean users could use auto-complete, intelli-sense and get compile-time errors when using string localization, instead of run-time errors when it can't find a matching string?
Also, could be used to warn / error at compile-time if there are missing translations.
It can also be used in a similar way for app settings, connection strings and other configuration.
I noticed there is a "ASP.NET_SessionId" cookie. Is module zero making use of ASP.NET Sessions? Is it possible to turn this off?
Does Module Zero have built-in CSRF prevention or is this outside the scope of Module Zero?