The above code checks all session files on the server disk if the modification is older than the defined time (one week). If so, they are deleted and the session therefore invalidated. The user get's a HTTP 404 (it would be better to redirect to the login page!).
Since all session files are checked on each request, the random condition just reduces the efort by just doing the check every 1000 requests (on average).
session_gc by the way seems to stand for session garbage collection.
IMHO this is a quite poor handling of session timeouts, especially if the timeout should be shorter and there is not to much traffic on the server. The behaviour is very unpredictable.
A different topic, but discovered at the same time: all passwords are stored in plaintext in the session files on the server disk. It looks like the system checks on every request, if the user is still valid using the password...
IMHO password never belong into any file or database in plain text. This is bad style and potentially a security risk.