Security decisions should not depend on branching. Because branching can be influenced by untrusted or client-provided data. For example, using a client-provided session ID (instead of a server-provided ID) in a conditional statement might allow an attacker to search for IDs of active sessions.