Set Cache-Control: no-store on the Bokeh document page (#8636)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: MarcSkovMadsen

panel/io/server.py

@@ -635,6 +635,11 @@ def _render_auth_error(self, auth_error: str) -> str:
 
     @authenticated
     async def get(self, *args, **kwargs):
+        # Prevent the browser from caching the document page. The page embeds
+        # a short-lived Bokeh session token; a cached page served after a
+        # logout/login cycle would carry a stale token and the subsequent
+        # WebSocket connection would fail (see e.g. holoviz/panel#8634).
+        self.set_header("Cache-Control", "no-store")
         prefix = self.application.prefix
         if prefix and self.request.path == prefix and not prefix.endswith('/'):
             query_string = self.request.query if self.request.query else ''

panel/tests/test_server.py

@@ -157,6 +157,16 @@ def test_server_prefix_root_redirect():
     assert response.status_code == 200
     assert response.url.endswith('/foo/')
 
+def test_server_doc_page_is_not_cached():
+    # The document page embeds a short-lived Bokeh session token, so it must
+    # not be cached by the browser (a stale token breaks the WebSocket).
+    html = Markdown('# Title')
+
+    r = serve_and_request(html)
+
+    assert r.status_code == 200
+    assert r.headers.get('Cache-Control') == 'no-store'
+
 def test_server_static_dirs_index():
     html = Markdown('# Title')