Secure Authentication without SSL

[pkmyrd]

I thought of an authentication system without SSL that seems reasonably secure. Am I overlooking something important?[*]User hits the login page[*]Server generates a salt for transmission (t-salt) and stores it in the session[*]Server sends the t-salt to the user as part of the login page that loads[*]User types in their username and password and clicks submit[*]Browser MD5 encrypts their password along with the t-salt[*]Browser sends username and MD5 (password + t-salt) to the server[*]Server retrieves password from database using username (*) Note below[*]Server MD5 encrypts password retrieved from step 7 along with the t-salt that was stored in the session in step 2[*]Server compares both of the MD5s from step 6 and step 8[*]If they are identical, the login is successfully authenticated[*]The server removes the t-salt from the session (added in step 2) to prevent potential replay attacks* Note that the password retrieved in step 7 cannot be 1-way encrypted (as is common practice) in order for step 8 to work. But 2-way encryption systems can still be used to secure passwords at the database level. (Hey, that comes with the side benefit of allowing a more user friendly password recovery process.)Aside from my note immediately above, what are the strengths and weaknesses of this scheme?