learned a lot from it
to the question
I not sure if cookie is the way to go... how can I make sure no one fake it?
One possible solution
'catchAllRequest' => ( (getenv('Maintenance') && session_start() && !isset($_SESSION['adminSession'])) ? array('maintenance/index') : null ),
Anonymous function would do my life easier but it not working... don't know why...