the problem is domain switching.
it happens when the address goes between using www and non www for the domain.
for example:
if a user starts browsing your site using the address:
http://mydomain.com/store.php
and then paypal returns them to the www address
http://www.mydomain.com/pp_confirm.php
those are considered 2 separate domains and thus 2 separate browsing sessions. The items added to the cart in the non www address no longer exist when returned to the address using www
to prevent this, use mod_rewrite to force all traffic to use the www address:
http://www.htaccessbasics.com/force-www-nonwww-domain/