we have not clear text of password on our server and we want to hash what user entered on the app and then send it to server.(we send it over https)
we have md5(passwrod) without salting on server but ASAP we change it to md5(password+salt) or md5(md5(password)+salt) if it is secure! i read this question: Is it worth hashing passwords on the client side
but there was a problem. this is not secure if server send salt to app because of this article below "In a Web Application, always hash on the server" title https://crackstation.net/hashing-security.htm
so if i send md5(password+random bit) + random bit to server. server can't recognize is password true or not! because server only have hash of passwords!