I just stumbled upon this and would like some clarification.
In my reasoning, during registration, the random salt (client salt) generated can still be intercepted by MITM attack and reverse engineered to generate the actual password (since the code to hash the password is at the client).
During login, the hashes for the user name are sent, which can be intercepted, and hacker can reverse engineer the client side hashing algorithm to recreate the actual password using the doubly (or three times) hashed password sent to the server. All the hashing information going through can still be intercepted on an insecure connection such plain HTTP and the hashing algorithms are easily accessed at the client.
I believe using HTTPS or SSL to secure communication is the best way, or perhaps using OAuth 2 or something. If not, you are simply adding indirection and it can be deciphered by a very intelligent hacker.
Am I missing something?