I think this is probably because you allow users to browse to your web site both with and without the www. in front of the domain. However the redirect back to your site doesn't have the www.
This would cause any session variables including the cart contents and the transaction details to be cleared.
There are two possible solutions.
1) update your .htaccess to force people to browse your site with (or without) the www. in the beginning of the url and then update the redirects on the confirm.php page to reflect that change. (SEO experts will tell you it is best to use one or the other and not allow both anyway)
2) update the redirects on your confirm.php page to be dynamic and use the same syntax as the user browsing. You can accomplish this by updating lines 89-92 to:
$WA_PP_ECO_Set_params[$nextIndex] = "https://" .($_SERVER('SERVER_NAME')) ."/pp_confirm.php";
$nextIndex = count($WA_PP_ECO_Set_params);
$WA_PP_ECO_Set_params[$nextIndex] = "CancelURL";
$WA_PP_ECO_Set_params[$nextIndex] = "https://" .($_SERVER('SERVER_NAME')) ."/cart.php?ppcancel=1";