Just to follow up on this. I deleted a cookie set by the site on my Edge browser and the maintenance mode is now enforced.
With Chrome it was different. I deleted the cookies I found (there were more because I also use Chrome for admin) but nothing happened. I refreshed the page and four cookies appeared once I’d clicked the complicance notice, two GA ones, a complianceCookie and a tamarind_session. I deleted those and now finally maintenance mode is enforced.
How is this possible? I’d expect, if the site is offline, it shouldn’t serve anyone other than admin.
I’ve just realised that, with the web site in maintenance mode, if you log in using an admin permission in another tab, this may be a restricted admin (for certain views) or full admin, the non admin web site become available to the browser even when admin logs out of the other tab.
This isn’t especially problematic in my opinion although I do think the behavior is more than a little bizarre as I would expect the two sessions to have distinct authentication.