It appears that when they click checkout you are redirecting from: http://browngrotta.com to: https://secure.browngrotta.com. These are technically different web sites and that would cause the cart to be emptied and prevent checkout.
You should install your SSL certificate on the same domain to prevent this problem. Alternatively you can use the ecart server behaviors to pass the session to the new site, but that is more difficult.
When I did my shopping starting at https://secure.browngrotta.com so that the cart contents wouldn't be lost when clicking checkout, then I got an error: syntax error, unexpected '@' in /www/browngrotta/confirm.php on line 228
What code is on line 228 of the confirm.php page? It looks like that would have to be addressed as well.