1. Session ID is usually stored on client browser using a cookie (alternatively, in URL parameters, but this is not recommended, as explained in http://php.net/manual/en/session.security.php)
2. Sessions are stored in the directory defined by session.save_path (e.g. /var/lib/php/sessions), or the system’s temporary directory if this is not set (usually /tmp).

Sessions are garbage collected periodically, either by PHP itself during a request, or by a cron job (e.g. on Debian this is the default). See http://php.net/manual/en/session.configuration.php#ini.session.gc-probability

The main thing I wonder about is how the server knows when a session has ended

He doesn’t know. However he knows when a session has not been used since a certain period of time, so it can delete unused sessions.

Does the server know to garbage collect the previous session data after some set amount of time?

Yes. This is defined by the session.gc_maxlifetime ini setting. Any session older than that will be deleted during a garbage collect. Garbage collect frequency can be tuned with the session.gc_probability and session.gc_divisor ini settings. (See doc.)

It seems to me like something that could be abused.

If you mean that someone may be able to create too many staled sessions on the server; yes this is probably true.