most likely it is an issue with crossing domains, in other words going from mydomain.com to www.mydomain.com
the session contents are based on the domain. as far as the session cookie is concerned the address:
is different browsing session from
my guess is that some customers are accessing your site at:
and are being redirected to the thank you page at:
since it is a different browsing session, the cart is now empty.
you can prevent users from accessing your site without the www on the address using a an htaccess rul if your server is running apache: