diff --git a/internal/db/migrations/postgres.gen.go b/internal/db/migrations/postgres.gen.go
index 5252c7945f..641f0a09aa 100644
--- a/internal/db/migrations/postgres.gen.go
+++ b/internal/db/migrations/postgres.gen.go
@@ -3152,6 +3152,15 @@ create table target_tcp (
   name text not null, -- name is not optional for a target subtype
   description text,
   default_port int, -- default_port can be null
+   -- max duration of the session in seconds.  default of 0 equals no limit
+  session_duration_seconds int not null default 0
+    check(session_duration_seconds >= 0),
+  -- limit on number of session connections allowed.  default of 0 equals no limit
+  connection_limit int not null default 1
+    check(connection_limit >= 0),
+  -- connection idle timout in seconds.  default of 0 equals no limit
+  connection_idle_timeout_seconds int not null default 0
+    check(connection_idle_timeout_seconds >= 0),
   create_time wt_timestamp,
   update_time wt_timestamp,
   version wt_version,
@@ -3173,7 +3182,7 @@ create trigger
   immutable_columns
 before
 update on target_tcp
-  for each row execute procedure immutable_columns('public_id', 'scope_id', 'create_time');
+  for each row execute procedure immutable_columns('public_id', 'scope_id', 'session_duration_seconds', 'connection_limit', 'connection_idle_timeout_seconds', 'create_time');
 
 create trigger
   update_version_column
@@ -3206,6 +3215,9 @@ select
   name, 
   description, 
   default_port, 
+  session_duration_seconds,
+  connection_limit,
+  connection_idle_timeout_seconds,
   version, 
   create_time,
   update_time,
@@ -3395,6 +3407,12 @@ begin;
     certificate bytea not null,
     -- after this time the connection will be expired, e.g. forcefully terminated
     expiration_time wt_timestamp, -- maybe null
+    -- limit on number of session connections allowed.  default of 0 equals no limit
+    connection_limit int not null default 1
+      check(connection_limit >= 0), 
+    -- connection idle timout in seconds.  default of 0 equals no limit
+    connection_idle_timeout_seconds int not null default 0
+      check(connection_idle_timeout_seconds >= 0),
     -- trust of first use token 
     tofu_token bytea, -- will be null when session is first created
     -- the reason this session ended (null until terminated)
@@ -3416,7 +3434,7 @@ begin;
     immutable_columns
   before
   update on session
-    for each row execute procedure immutable_columns('public_id', 'certificate', 'expiration_time', 'create_time');
+    for each row execute procedure immutable_columns('public_id', 'certificate', 'expiration_time', 'connection_limit', 'create_time');
   
   create trigger 
     update_version_column 
diff --git a/internal/db/migrations/postgres/41_targets.up.sql b/internal/db/migrations/postgres/41_targets.up.sql
index b11a9e2008..774c4e540a 100644
--- a/internal/db/migrations/postgres/41_targets.up.sql
+++ b/internal/db/migrations/postgres/41_targets.up.sql
@@ -99,6 +99,15 @@ create table target_tcp (
   name text not null, -- name is not optional for a target subtype
   description text,
   default_port int, -- default_port can be null
+   -- max duration of the session in seconds.  default of 0 equals no limit
+  session_duration_seconds int not null default 0
+    check(session_duration_seconds >= 0),
+  -- limit on number of session connections allowed.  default of 0 equals no limit
+  connection_limit int not null default 1
+    check(connection_limit >= 0),
+  -- connection idle timout in seconds.  default of 0 equals no limit
+  connection_idle_timeout_seconds int not null default 0
+    check(connection_idle_timeout_seconds >= 0),
   create_time wt_timestamp,
   update_time wt_timestamp,
   version wt_version,
@@ -120,7 +129,7 @@ create trigger
   immutable_columns
 before
 update on target_tcp
-  for each row execute procedure immutable_columns('public_id', 'scope_id', 'create_time');
+  for each row execute procedure immutable_columns('public_id', 'scope_id', 'session_duration_seconds', 'connection_limit', 'connection_idle_timeout_seconds', 'create_time');
 
 create trigger
   update_version_column
@@ -153,6 +162,9 @@ select
   name, 
   description, 
   default_port, 
+  session_duration_seconds,
+  connection_limit,
+  connection_idle_timeout_seconds,
   version, 
   create_time,
   update_time,
diff --git a/internal/db/migrations/postgres/50_session.up.sql b/internal/db/migrations/postgres/50_session.up.sql
index 3225dd27a2..b25fcb9ca8 100644
--- a/internal/db/migrations/postgres/50_session.up.sql
+++ b/internal/db/migrations/postgres/50_session.up.sql
@@ -131,6 +131,12 @@ begin;
     certificate bytea not null,
     -- after this time the connection will be expired, e.g. forcefully terminated
     expiration_time wt_timestamp, -- maybe null
+    -- limit on number of session connections allowed.  default of 0 equals no limit
+    connection_limit int not null default 1
+      check(connection_limit >= 0), 
+    -- connection idle timout in seconds.  default of 0 equals no limit
+    connection_idle_timeout_seconds int not null default 0
+      check(connection_idle_timeout_seconds >= 0),
     -- trust of first use token 
     tofu_token bytea, -- will be null when session is first created
     -- the reason this session ended (null until terminated)
@@ -152,7 +158,7 @@ begin;
     immutable_columns
   before
   update on session
-    for each row execute procedure immutable_columns('public_id', 'certificate', 'expiration_time', 'create_time');
+    for each row execute procedure immutable_columns('public_id', 'certificate', 'expiration_time', 'connection_limit', 'create_time');
   
   create trigger 
     update_version_column