How does PHP server know that a session has ended?

1. Session ID is stored on the client in a way that usually dissipates when the browser is closed (stored as a cookie?).
2. Session ID and associated data is stored on the server (where?) for each client that starts one.

The main thing I wonder about is how the server knows when a session has ended, though. If the client no longer has the session ID stored (say, after closing their browser) and they try to ask the server for another session, it starts a new session. Does the server know to garbage collect the previous session data after some set amount of time? It seems to me like something that could be abused...

1. Session ID is usually stored on client browser using a cookie (alternatively, in URL parameters, but this is not recommended, as explained in http://php.net/manual/en/session.security.php)
2. Sessions are stored in the directory defined by session.save_path (e.g. /var/lib/php/sessions), or the system's temporary directory if this is not set (usually /tmp).

Sessions are garbage collected periodically, either by PHP itself during a request, or by a cron job (e.g. on Debian this is the default). See http://php.net/manual/en/session.configuration.php#ini.session.gc-probability

The main thing I wonder about is how the server knows when a session has ended

He doesn't know. However he knows when a session has not been used since a certain period of time, so it can delete unused sessions.

Does the server know to garbage collect the previous session data after some set amount of time?

Yes. This is defined by the session.gc_maxlifetime ini setting. Any session older than that will be deleted during a garbage collect. Garbage collect frequency can be tuned with the session.gc_probability and session.gc_divisor ini settings. (See doc.)

It seems to me like something that could be abused.

If you mean that someone may be able to create too many staled sessions on the server; yes this is probably true.