most likely it is an issue with crossing domains, in other words going from mydomain.com to www.mydomain.com
the session contents are based on the domain. as far as the session cookie is concerned the address:
mydomain.com
is different browsing session from
www.mydomain.com
my guess is that some customers are accessing your site at:
shop.php
and are being redirected to the thank you page at:
thankyou.php
since it is a different browsing session, the cart is now empty.
you can prevent users from accessing your site without the www on the address using a an htaccess rul if your server is running apache:
force-www-in-your-url-using-htaccess