Are you starting at a domain that begins with www. and redirecting back to one without www. or vice versa?
Technically if you browse to a site with www.domain.com and then go to it with just domain.com, they have two different sessions and act as two different sites. The solution is to force traffic to always use one or the other. This can be done in the .htaccess as well.
For instance this would force to always have www in the domain:
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Then make sure your return page urls on the confirm.php page also include the "www." in the url for consistency. Also make sure the page urls on the confirm.php page include https:// now that you are using and forcing ssl.