Because logging in and authenticating with AFS are distinct operations, you must both logout and unauthenticate (issue the unlog command to discard your tokens) when exiting an AFS session. Simply logging out does not necessarily destroy your tokens.
You can use the unlog command any time you want to unauthenticate, not just when logging out. For instance, it is a good practice to unauthenticate before leaving your machine unattended, to prevent other users from using your tokens during your absence. When you return to your machine, issue the aklog command to reauthenticate, as described in To Authenticate with AFS.
Do not issue the unlog command when you are running jobs that take a long time to complete, even if you are logging out. Such processes must have a token during the entire time they need authenticated access to AFS.
If you have tokens from multiple cells and want to discard only some of them, include the unlog command's -cell argument.
Issue the unlog command to discard your tokens:
% unlog -cell <
Omit the -cell argument to discard all of your tokens, or use it to name each cell for which to discard tokens. It is best to provide the full name of each cell (such as example.org or example.com).
You can issue the tokens command to verify that your tokens were destroyed, as in the following example.
% tokens Tokens held by the Cache Manager: --End of list--
In the following example, a user has tokens in both the accounting and marketing cells at her company. She discards the token for the acctg.example.com cell but keeps the token for the mktg.example.com cell.
% tokens Tokens held by the Cache Manager: User's (AFS ID 35) tokens for firstname.lastname@example.org [Expires Nov 10 22:30] User's (AFS ID 674) tokens for email@example.com [Expires Nov 10 18:44] --End of list-- % unlog -cell acctg.example.com % tokens Tokens held by the Cache Manager: User's (AFS ID 674) tokens for firstname.lastname@example.org [Expires Nov 10 18:44] --End of list--